In the past 5 years, since we continued this project from its previous maintainer, we frequently get suggestions, improvements or reportings about potential issues, also security related. Due to the amount of the requests and our internal proceedings, usually no direct contact or interaction happens. We do take the time to look at any of those reportings and think of ways how to mitigate them. In some cases, it takes a while for a fix to be implemented properly to not raise other issues when fixing. Overall we take these reports serious and appreciate any such information.
Regarding the specific XSS issue publicly reported, we have now disabled the embed functionality completely. Our special Thanks goes to F. Braunlein and his team for pointing it out.
Since we are a fully open-source project, we also welcome any code contributions that help us fixing issues directly when discovered.