MarkUs, a web application for submission and grading of student assignments, contains a cross-site scripting (XSS) vulnerability in versions prior to 2.9.1. The vulnerability exists in the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route which reads and renders student-submitted file contents without proper sanitization. This allows malicious content in student submissions to be executed in the browser. The issue has been patched in version 2.9.1 with proper input sanitization implemented.