On January 26th, a Gentrace customer reported a cross-site scripting (XSS) vulnerability found by a security consultant, which occurred due to unsanitized text rendered in OpenAI input and output blocks within the Gentrace UI. The issue was linked to the use of Mustache for interpolating content without automatic template sanitization. By January 28th, Gentrace addressed the vulnerability by escaping content before rendering and thoroughly scanning their production database, finding no malicious hits beyond the initial benign security test. To prevent future occurrences, Gentrace audited their codebase to ensure all user-generated content passed to React's dangerouslySetInnerHTML is sanitized with DOMPurify, and they implemented a react/no-danger eslint error to enforce safety checks during pull request reviews. With the fix in place and no users affected, no actions were recommended for customers, and Gentrace encouraged feedback on best practices while promoting their newsletter for updates and AI engineering insights.