id summary reporter owner description type status priority component severity resolution keywords cc release 9734 DOM injection vulnerability in NoteBox.expand_macro() Alex Willmer Ryan J Ollos "`NoteBox.expand_macro()` performs string concatenation to construct a div element, as result it is possible to inject javascript into the page and have it executed. The following invocation demonstrates this: {{{ [[NoteBox("">