XSS issue on HTML input using an unsanitised HTML tag

[ticarpi]

This issue has been validated on a live customer website (I am a Penetration Tester), and on a Proof-of-Concept React app. Due to the potential for exploitation on live websites the payload is not detailed here.

I have reached out directly to @jpuri with the payload and will update the details here when instructed to, or after a reasonable period if responses are not forthcoming.

Feel free to reach out, my goal is to enhance the security of this very useful package. Thanks!