Default embed needs to escape output

Question

Default embed needs to escape output

Opened this issue 11 years ago · 0 comments

Right now the widget is rendered as is if no routes match, allowing unsanitized html to be injected. Looks like the sanitizer is catching these but we'll want to encode the content before rendering as an extra precaution.