### SummaryA XSS vulnerability exists on index pages for static file handling.### DetailsWhen using `web.static(..., show_index=True)`, the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.### WorkaroundWe have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.Other users can disable `show_index` if unable to upgrade.-----Patch: https://github.com/aio-libs/aiohttp/pull/8319/files