The new linkify code opens us to XSS. My bad.

Open this to verify: https://github.com/bfred-it/sandbox/blob/master/test.js

The issue was passing a textContent to the linkifier (which could be the string "<img src='yo.jpg'>") and getting back HTML. Bang. XSS.

Fixed in 21fd5f0 already because of the urgency.

Leaving this open for a bit as an advisory.