Am 16.07.2017 um 11:17 schrieb Sönke Ludwig:
(...)However, I just noticed that this is still possible to exploit in the Markdown processor. User defined HTML is filtered, but link targets are passed to the rendered HTML as-is (just HTML encoded).
https://github.com/rejectedsoftware/vibe.d/pull/1846
