@sgiehl opened this Pull Request on June 16th 2020 Member

checked with website titles like <b>test</b> or {{CONSTRUCTOR.CONSTRUCTOR("_X()")()}} if removing the escape opens up some html or angular execution, but seems the content is still encoded once.

fixes #16072

This Pull Request was closed on July 5th 2020
Powered by GitHub Issue Mirror