How big of a security vulnerability is using Thymeleaf's

th:utext

? I'm trying to render a page using Thymeleaf but there are certain parts of the website which are much easier rendered using

kotlinx.html

. I'd like to inject them using

th:utext

but this Stackoverflow answer and a comment underneath it says it's a security vulnerability.

A giant one: you have to avoid getting any user input inside that. Eg, if user could provide content of the variable, he could just provide

<script> /* arbitrary JS */ </script>

and do whatever he wanted every time that gets rendered. Of course, if you prevent user providing input to this variable, it should not be issue. (But of course, think long and hard why you want to do that)

Yeah, understandable. Thank you. What are my other options?