Versions of selectize-plugin-a11y
prior to 1.1.0 are vulnerable to Cross-Site Scripting. The accessibility.liveRegion.speak
function does not sanitize the msg
variable before rendering it as HTML. If this variable is controlled by user input it allows attackers to execute arbitrary JavaScript in a victim’s browser.
Upgrade to version 1.1.0 or later.