releases.shpreview

SSR script tags escape `<`, `>`, and `/` to prevent XSS

@clerk/shared@4.25.5

1 fixThis release1 fixBug fixesAI-tallied from the release notes
From the original release noteView original ↗

Patch Changes

  • Escape <, >, and / when serializing the Clerk auth state into SSR <script> tags, preventing a </script> sequence inside user-controllable session claims from breaking out of the script element (stored XSS). The embedded JSON still parses to identical values on the client. (#9166) by @dominic-clerk

Fetched July 16, 2026

SSR script tags escape `<`, `>`, and `/` to prevent XSS… — releases.sh