Summary When dynamic text is interpolated into a "<script>" or "<style>" tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a "<script>" or "<style>" block could break out of the tag with "</SCRIPT>", "</Style>", etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. Details The affected helpers used case-sensitive regular expressions to detect attempts at closing the surrounding tag: // packages/runtime-tags/src/html/content.ts const unsafeScriptReg = /</script/g; const unsafeStyleReg = /</style/g; // packages/runtime-class/src/runtime/html/helpers/escape-script-placeholder.js const unsafeCharsReg = /</script/g; // packages/runtime-class/src/runtime/html/helpers/escape-style-placeholder.js const unsafeCharsReg = /</style/g; HTML tag names are case-insensitive in the browser parser, so inputs such as "</SCRIPT>", "</Script>", or "</sTyLe>" were not matched by these regexes and passed through the helpers unchanged. A browser rendering the output treats the mixed-case end tag as a valid closing tag, terminating the script or style context, and then parses anything that follows as HTML. The Marko compiler routes interpolated values inside "<script>" and "<style>" tags through these helpers automatically (see "native-tag.ts:1080-1085"), so application code following the framework's conventions had no way to detect or compensate for the gap. PoC $ const userCode = "</SCRIPT><script>alert(1)//"; <script> const data = ${JSON.stringify(userCode)}; </script>Would yield the following: <script>const data = "</SCRIPT><script>alert(1)//";</script>Which is then parsed in any WHATWG-compliant browser as: <script>const data = "</script><script>alert(1)//";</script>Impact Cross-site scripting. Any Marko template that explicitly interpolates untrusted data inside a "<script>" or "<style>" block is affected. Stored XSS is trivial if the value originates from any persisted user input (username, profile bio, comment body, etc.) that is later embedded in a script tag during rendering. Exploitation yields arbitrary JavaScript execution in the victim's browser, enabling session token theft, account takeover, and arbitrary actions as the victim. Since the internal "_escape_script" and "_escape_style" helpers are the framework's designated defense against script/style tag breakout, applications following standard Marko patterns had no obvious reason to add a second layer of sanitization. This does not affect scripts or hydration state serialized by Marko itself — only templates that explicitly interpolate untrusted values inside a <script> or <style> tag. Patch Commit "19d4b37d0" — "fix: html script, style, and comment escaping". - const unsafeScriptReg = /</script/g; + const unsafeScriptReg = /</script/gi; - const unsafeStyleReg = /</style/g; + const unsafeStyleReg = /</style/gi; The same commit also introduced an "_escape_comment" helper and corresponding "escape-comment-placeholder.js", hardening HTML comment escaping as a related preventative fix. Test fixtures were added under "escape-script-case", "escape-style-case", and "escape-comment". Workarounds Upgrade to the patched release. As a short-term mitigation on affected versions, pre-sanitize any untrusted data before it reaches a template position rendered inside a "<script>" or "<style>" tag — e.g. normalize "</script", "</style", and their mixed-case variants before interpolation, or avoid direct interpolation of untrusted values inside these tags entirely.