Alexis Marquois

**Name of the Vulnerable Software and Affected Versions** Slim Select versions 2.0 through 2.9.0 **Description** The issue is a potential cross-site scripting vulnerability. In the `createOption()` function, the `text` variable from the user-provided Options object is assigned to an innerHTML without sanitation. This may allow attackers to execute JavaScript, resulting in cross-site scripting. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable. **Recommendations** For Slim Select versions 2.0 through 2.9.0, consider updating to version 2.9.2, which includes a fix for this issue. For versions prior to 2.9.2, as a temporary workaround, consider sanitizing the `text` variable from the user-provided Options object before assigning it to an innerHTML to prevent cross-site scripting. Restrict access to the `createOption()` function in `select.ts` to minimize the risk of exploitation until a patch is applied.