Vincenzo Di Cicco

**Name of the Vulnerable Software and Affected Versions** Dart SDK versions prior to 2.12.3 **Description** The issue is related to bad validation logic in the Dart SDK, which allows an attacker to perform an XSS attack via DOM clobbering. Specifically, the validation logic in `dart:html` for creating DOM nodes from text did not properly sanitize template tags. **Recommendations** For Dart SDK versions prior to 2.12.3, update to version 2.12.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of `dart:html` for creating DOM nodes from text until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Dart versions up to and including 2.7.1 Dart dev versions up to and including 2.8.0-dev.16.0 **Description** The issue is related to improper HTML sanitization, allowing an attacker to inject custom HTML or JavaScript using DOM Clobbering techniques. This can lead to a cross-site scripting (XSS) attack. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** Update your Dart SDK to 2.7.2. Update your Dart dev version to 2.8.0-dev.17.0. If you cannot update, review the way you use the affected APIs and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using `Element.innerText` or `Node.text` to populate DOM elements.