Default embed needs to escape output
Opened this issue · 0 comments
rymohr commented
Right now the widget is rendered as is if no routes match, allowing unsanitized html to be injected. Looks like the sanitizer is catching these but we'll want to encode the content before rendering as an extra precaution.