The 'render_relation_element' filter (in contrast to the other two
filters) does not use a template for rendering, but simply returns the
'__toString()' value of the given object (that's the default behavior).
However, the method was marked as HTML-safe. This leads to the fact
that any string returned by '__toString()' (which often comes from
direct user input) is output without any escaping. This makes the
filter vulnerable to a Stored Cross-Site Scripting attack. The
vulnerability has been fixed in this commit.