GHSA-WRRJ-H57R-VX9P Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports
The Rust Security Response WG was notified that Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to XSS if the report is subsequent...