GHSA-58CW-G322-P94V Mistune has XSS via unescaped figclass/figwidth in Figure directive
In src/mistune/directives/image.py, the renderfigure function concatenates figclass and figwidth options directly into HTML attributes without escaping lines 152-168. This allows attribute injection and XSS even when HTMLRendererescape=True is used, because these values bypass the inline renderer...