keycloak is vulnerable to a cross-site scripting (XSS) attack. The library does not sanitize the state
parameter properly in the authentication URL when the response_mode=form_post
option is used. This can allow a malicious user to inject and execute arbitrary Javascript.