poef
commented
5 years ago No. This was only an issue in release 1.24, which was followed up with 1.25 the same day. Additionally, to have a cross site scripting vulnerability you would need to handle user input, which is not in the scope of this code, it is just rendering stuff. However, if you handle user input, it should be safe to just push it out to a field with data-simply-content="text", and in 1.24 it wasn't.
In the last release,9f7ba75f573cf1648735cbc7ac80c291df147733, I've noted the following text
... In addition we noticed that the new text-only code for data-simply-content="text" incorrectly handled special characters (<.>.& and "). This has been fixed as well.Did this issue in older versions resulted in expose to cross site scripting?