Cross site scripting (XSS) in general is a vector to look out for in Elm (to extend on @gampleman’s post). A lot of the known XSS attacks can be mitigated or removed with keeping your browser up to date and applying a hardened content security policy (CSP) on the server side.
Some of the directions I can see in the Elm community are moving away from easy adoption of good CSPs for the sake of development ease. Whilst this is most likely not a conscious decision it is something we should keep an eye on moving forward.
My purpose in saying this is not intended to call out anyone or any particular project, but a good general example of this that I’ve seen across multiple packages is the use of embedding inline style sheets and or inline styles directly into divs etc. Just allowing this type of thing in your CSP drops your Mozilla’s Observatory score by 10 points.