The fact that it's also called when its added to the stack for display. OP should definitely still sanitize on the server, but it's not as bad as it sounds at first glance.
As an exercise I'd love it someone actually posted a payload to exploit that regex.
No comments yet.