Possible AirTag problem from Kirk McElhearn on Intego?:
Wow, do we never learn anything? Putting something like <script>alert('Pwned!')</script> in any input (HTML or not) and seeing how it affects output has been a standard testing procedure basically since there have been browsers. It’s extremely disconcerting that no Apple developer or QA person seems to do this.