Space bug in `clean_text`
An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug: let html = format!("", clean_text(user_supplied_string)); Applications are not affected if they quote their attributes, or if they don't use clean_text at all.