Thank @1x for that. At least the bug was found and now fixed.
Was the notification link which got opened directly in a picture part of the bug finding as well?
I didn't see that one - but it would have been, yes. Basically, the XSS sanitization wasn't working as it should. I hope I fixed it now.