Board Thread:Code Review/@comment-4356266-20151008134915/@comment-24473195-20151011165549

Hmm, notiplus uses an ajax call to retrieve data from the URL with the Action=render parameter. That outputs a raw html page, which is a vector for XSS, it then changes the page somewhat and outputs without verifying whether the wikitext is valid or not. So the problem may remain in the output.

Action render is used to show data, action parse is used to transform data for various reasons including outputing it onto a page.