Edit: for context, the parent found an XSS issue. It was patched within a few hours. The patch was incomplete, and this one still worked. So, not only do they get it wrong for launch. When presented with an exploit they don't even patch the full vulnerability. I'll trust my data with someone who understands security, thank you very much.
https://hulbee.com/?query=%3C%2Fscript%3E%3Cimg%20src%3Dsdf%...
It runs on Chrome and bypasses the filter.
Edit: for context, the parent found an XSS issue. It was patched within a few hours. The patch was incomplete, and this one still worked. So, not only do they get it wrong for launch. When presented with an exploit they don't even patch the full vulnerability. I'll trust my data with someone who understands security, thank you very much.