Intent-Code Divergence
Low
- Confidence
- 89% confidence
- Finding
- The documentation explicitly encourages passing raw HTML fragments into `InfoWindow` content and titles without any warning about sanitization or trust boundaries. If developers follow this guidance with untrusted user input, it can lead to DOM-based XSS in the application context, especially because the content is rendered in the browser UI.
