Mhuisi

**Name of the Vulnerable Software and Affected Versions** Lean 4 VS Code Extension versions 0.1.9 and lower @leanprover/unicode-input-component versions 0.1.9 and lower **Description** Projects utilizing the `@leanprover/unicode-input-component` are susceptible to a cross-site scripting (XSS) issue. The component improperly handles input, re-inserting text into the input element as unescaped HTML. This allows for the injection of malicious scripts. The issue is present in version 0.1.9 and earlier of the component. **Recommendations** Update `@leanprover/unicode-input-component` to version 0.2.0 or later. As a workaround, replace the unicode input component with a basic HTML text field.