phoenix_html is vulnerable to Cross-Site Scripting (XSS) attacks. The library does not properly escape the special characters before it outputs to the front end, allowing an attacker to inject and execute malicious JavaScript via HEEx
class attributes in tag.ex
.