DepthFirst | Esbuild’s XSS Bug that Survived 5 Billion Downloads and Bypassed HTML Sanitization

A subtle XSS bug was discovered in esbuild, a JavaScript bundler with billions of downloads, which bypassed its HTML sanitization due to a missing quote escape. This vulnerability allowed a malicious folder name to execute arbitrary JavaScript within the esbuild dev server, and was fixed with a single line of code.