Security researcher Nikita Arykov reported that JavaScript event
handler attributes on a <marquee>
tag will execute inside a sandboxed
iframe that does not have the allow-scripts flag set. This could result in a cross-site
scripting (XSS) vulnerability in a site that depends on the iframe sandbox for
sanitization and does no other content filtering.