It seems like the Citizen skin enables raw HTML embedding, and "$wgRawHtml = false;" does nothing to disable it, which seems unsafe. Am I missing something during setup to make this more secure?
Topic on Skin talk:Citizen
That does indeed happen when collapsible sections are created. In the meantime you can disable those by setting $wgCitizenEnableCollapsibleSections
to false.
Merged into master, should be fixed now.