Stored XSS via session claim in SSR script tag fixed
@clerk/tanstack-react-start@1.4.20
Patch Changes
-
Escape
<,>, and/when serializing the Clerk auth state into SSR<script>tags, preventing a</script>sequence inside user-controllable session claims from breaking out of the script element (stored XSS). The embedded JSON still parses to identical values on the client. (#9166) by @dominic-clerk -
Updated dependencies [
bcbdda6,e657d99]:- @clerk/shared@4.25.5
- @clerk/backend@3.11.7
- @clerk/react@6.12.5
Fetched July 16, 2026

