Tell us about your environment

• Browser and Browser Version: Chrome ver 119

What did you do? Please explain the steps you took before you encountered the problem.
Our team recently encountered a security vulnerability while using lottie-web, as Lottiefiles stored XSS via expressions. Repro steps:

1. Download and copy the content of the attached testx05.json file
2. Paste the Lottie template to the website: https://lottiefiles.github.io/lottie-docs/playground/json_editor/
3. You should see an alert indicating a successful Cross-Site Scripting attack.

Posting additional info on behalf of my team: this is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim’s browser.
Also I see that not all payloads have access to cookies. In my current payload I have redirect based payload
"x": "var $bm_rt = [256, 256]\nvar rotation = location='javascript:alert(document.cookie)'"
Same will not work if payload have no redirect with js protocol - rotation = alert(document.cookie)
What did you expect to happen?
Ensure all user supplied content is properly HTML output encoded.