Codeux Software is not aware of any case in which this vulnerability was abused in the wild.
The vulnerability, which was discovered by Wladimir Palant, has existed since version 2.1.1 (mid-2012) of Textual.
Double quotes (") are allowed to appear inside a URL which means a person with malicious intent had the power to append code to the HTML anchor element which is used to turn a URL into a link.
The vulnerability was fixed by appropriately escaping the characters inside each URL.
This web page will be displayed to anyone who hovers their mouse pointer over the URL displayed below.
The encoded data, when decoded, is: