html" use ctrl-shift-v to paste it into a .md file See ...">
ctrl-shift-v is meant to paste plaintext as is. However it will paste it into a dom elements innerHtml
and can thus be used to inject malicious html.
https://github.com/nextcloud/text/blob/main/src/extensions/Markdown.js#L97
If you can trick someone into using ctrl-shift-v to paste content you control you can insert html into the page leading to a possible xss attack.
The html will be inserted into the editors schema - but before that happens it’s already pasted into the innerHtml of a dom element.