Closed this issue 8 years ago · 1 comments
If a link contains some HTML and we just blindly render it on the page, users can inject whatever they want
Fix: Make sure we HTML-escape all link values
Should be fixed in 86b7a5a