The commit diff shows the vulnerability stemmed from using OriginalText (raw user input) instead of ParsedText (processed/sanitized content) in the GetExcerpt method. This function's purpose is to generate display-ready content excerpts, making it a direct injection point for XSS when handling unescaped input. The patch explicitly switches to using the sanitized ParsedText field, confirming the root cause was improper input neutralization in this function.