A malformed RSS feed can deliver an XSS payload
Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss
The XSS payload will be triggered by the title in tag <item>
Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f