Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags.