Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.
The fixes were reviewed and no new bypasses could be spotted at the moment.
Thanks, @masatokinugawa 🙇♂️ 🙇♀️!
The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.
Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.