python · dosageHeads-up

dosage: Stored XSS in HTML and RSS output handlers

The HTML and RSS output handlers in dosagelib/events.

27 Jun 2026Read 1 minSeverity: schedule it

What changed

The HTML and RSS output handlers in dosagelib/events.py write user-controlled content (comic text and page URLs) directly into generated files without proper HTML escaping, leading to stored XSS.

Who it affects

Users who use dosage with --output html or --output rss options and open the generated files in a browser.

What to do today

Apply the recommended fix by escaping all user-controlled content with html.escape() before writing to HTML/RSS output.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · dosage

dosage: Stored XSS in HTML and RSS output handlers

What changed

Who it affects

What to do today

More on dosage

pydantic-ai-slim SSRF bypass via IPv6 transition forms

nono-py: Missing proxy-only enforcement fallback on kernels without Landlock network support