Cloudflare Public Bug Bounty: `use-mcp`'s oauth2 process uses a window.open call with untrusted mcp server provided data allowing for code execution under the page using it

The authorizeEndpoint parameter from use-mcp version was susceptible to XSS. Sanitization of that parameter was added in version 0.0.10 of use-mcp. A skilled attacker was able to turn this XSS into code execution on the client...