Icmddev

**Name of the Vulnerable Software and Affected Versions** LeafKit versions prior to 1.14.2 **Description** LeafKit is a templating language with Swift-inspired syntax. Before version 1.14.2, HTML escaping does not function correctly when a template prints a collection (Array or Dictionary) using `#(value)`. This can lead to cross-site scripting (XSS), allowing potentially untrusted input to be rendered without proper escaping. The issue stems from the `LeafData.htmlEscaped()` function's implementation, which returns an unescaped `self` when converting Arrays and Dictionaries to strings, as their conversion to `String` is considered ambiguous. The vulnerability is triggered when serializing these unescaped collections, leading to unsafe serialization of each element within them. A proof of concept (PoC) demonstrates that providing malicious input within an array or dictionary can trigger XSS when rendered in a Leaf template. **Recommendations** Update to LeafKit version 1.14.2 or later.