releases.shpreview

Stored XSS via session claim in SSR script tag fixed

@clerk/tanstack-react-start@1.4.20

1 fixThis release1 fixBug fixesAI-tallied from the release notes
From the original release noteView original ↗

Patch Changes

  • Escape <, >, and / when serializing the Clerk auth state into SSR <script> tags, preventing a </script> sequence inside user-controllable session claims from breaking out of the script element (stored XSS). The embedded JSON still parses to identical values on the client. (#9166) by @dominic-clerk

  • Updated dependencies [bcbdda6, e657d99]:

    • @clerk/shared@4.25.5
    • @clerk/backend@3.11.7
    • @clerk/react@6.12.5

Fetched July 16, 2026

Stored XSS via session claim in SSR script tag fixed… — releases.sh