XSS vulnerability in Postorius

Hi devs,

There is a Cross-site Scripting (XSS) vulnerability in Postoris: if an email is sent to a mailing list with a subject containing HTML code and placed in Held messages, the HTML code is rendered without escaping in the title of the Held messages pop-up.

I will send the screenshot to the security email.