HTML injection vulnerability

[robertknight]

The plugin generates HTML using string concatenation of markup with values from annotation fields (eg. the document title).

These fields can contain quotes, HTML markup etc. That creates the possibility of the output being, in the best case, malformed HTML or in the worst case, a malicious actor injecting <script> tags, inline event handlers etc.

I'm not very familiar with WordPress, but as I understand it, the HTML markup generated by add_shortcode's callback is not sanitized before it is emitted. Happy to be corrected about this.