justhtml XSS via blank line in inline code span within link

In justhtml 0.9.0 through 1.21.0, to_markdown() renders <code> and <pre> text inside a link as an inline Markdown code span. A blank line (\n\n) in that text terminates the inline span, causing attacker-controlled text that survived HTML sanitization to be emitted unescaped and re-parsed as live raw HTML/Markdown, leading to XSS.

Any application using justhtml with default settings to sanitize untrusted HTML, call to_markdown(), and render the result with a CommonMark-compliant renderer (raw-HTML passthrough is default).

Update justhtml to a patched version once available, or apply the recommended fix: in _markdown_code_span and the <code>/in-link <pre> dispatch, if content contains a blank line, emit it as a fenced code block instead of an inline span.