shave prior to 2.5.3 are vulnerable to Cross-Site Scripting. The
shave package overwrites HTML elements and in doing so fails to properly encode the output. If encoded HTML input is passed into
shave the output will be decoded which may lead to Cross-Site Scripting.
Upgrade to version 2.5.3 or later.