I can't find validation in the codebase. I used the CKEditor feature with the fake "embed code" of `
alert('hello');` and the javascript was triggered.
I see the value in being able to provide a token within the WYSIWYG instead of seeing the javascript, but given the page seems to render anything you put in there, that seems like a security risk.
Closed: works as designed
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.