Severity: P3 (latent XSS in fallback path) · Tier-2 (Pascal review)
Co-maintained repo (Pascal = architect).
Location: lib/ash_ui/rendering/live_ui_adapter.ex:279-1404
The in-repo fallback generate_heex/2 interpolates many values into markup; some go through html_escape/html_attr but several attribute slots (e.g. data-screen-id="#{iur["id"]}", layout spacing/columns inlined into style=…) are interpolated unescaped. The fallback is only reached when the live_ui package is absent (not the normal runtime), so exposure is limited, but unescaped attribute interpolation is an XSS footgun if the path is ever used with attacker-influenced screen data.
Fix: escape all interpolated attribute values, or treat the fallback as strictly non-production.
2026-05-28 cross-repo review — see ariston-ui docs/audits/cross-repo-review-2026-05-28.md (finding B8).
Severity: P3 (latent XSS in fallback path) · Tier-2 (Pascal review)
Co-maintained repo (Pascal = architect).
Location:
lib/ash_ui/rendering/live_ui_adapter.ex:279-1404The in-repo fallback
generate_heex/2interpolates many values into markup; some go throughhtml_escape/html_attrbut several attribute slots (e.g.data-screen-id="#{iur["id"]}", layoutspacing/columnsinlined intostyle=…) are interpolated unescaped. The fallback is only reached when thelive_uipackage is absent (not the normal runtime), so exposure is limited, but unescaped attribute interpolation is an XSS footgun if the path is ever used with attacker-influenced screen data.Fix: escape all interpolated attribute values, or treat the fallback as strictly non-production.
2026-05-28 cross-repo review — see ariston-ui
docs/audits/cross-repo-review-2026-05-28.md(finding B8).