Defenses: All HTML tags are stripped server-side. But the page uses a naive client-side template engine that evaluates {{expressions}}.
{{expressions}}
All HTML tags are stripped. But there's a client-side template engine processing the output...