We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
The editor's source code view allows attacker to bypass the input validation in default view by injecting javascript using IFRAME element.
Proof of Concept: Injected the the payload <IFRAME SRC="javascript:alert('XSS');"></IFRAME> into the editor's source code view.