i18next is vulnerable to cross-site scripting (XSS) attacks. The interpolation resolution code in translate.js
loops over each key in the dictionary and applies replacements one at a time. It is possible for an untrusted user to input the name of another key in the dictionary. Along with the un-escaped suffix feature in i18next, it may allow attackers to use the name of another key in the dictionary to inject code into the browser.