Stored XSS via session claims fixed; initialization hardened
@clerk/astro@3.4.19
Patch Changes
-
Fix Astro initialization when bundled
uiorprefetchUI: falseis passed to the integration. (#8628) by @jescalan -
Escape
<,>, and/when serializing the Clerk auth state into SSR<script>tags, preventing a</script>sequence inside user-controllable session claims from breaking out of the script element (stored XSS). The embedded JSON still parses to identical values on the client. (#9166) by @dominic-clerk -
Updated dependencies [
bcbdda6,e657d99]:- @clerk/shared@4.25.5
- @clerk/backend@3.11.7
Fetched July 16, 2026


