@Plazmaz discovered a cross-site scripting flaw in our Render application. When ipynb files failed to preview correctly via our render application, the application insecurely generated an HTML element that included the filename without performing proper encoding or escaping of the filename. Our Content Security Policy (CSP) prevented JavaScript payload execution but we still take these types of vulnerabilities seriously therefore we addressed the vulnerability by using a safe API call to build the HTML element.