Auth0 Lock prior to 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.
auth0 lock