SSR script tags escape `<`, `>`, and `/` to prevent XSS
@clerk/shared@4.25.5
1 fixThis release1 fixBug fixesAI-tallied from the release notes
From the original release noteView original ↗
Patch Changes
- Escape
<,>, and/when serializing the Clerk auth state into SSR<script>tags, preventing a</script>sequence inside user-controllable session claims from breaking out of the script element (stored XSS). The embedded JSON still parses to identical values on the client. (#9166) by @dominic-clerk
Fetched July 16, 2026


