I was reviewing gerrit 87648 and happened to find this vulnerability
in the existing code. The patch looks like it might fix the vulnerability (provided, of course, that all callers filter out unescaped vertical tabs), though I'm not sure whether that was the author's intent.
So it's possible that others already know about this vulnerability.
To reproduce (works in at least Firefox and Chromium), paste this wikitext in the edit box and hit Preview:
<p style="font-size: 100px; background-image: url\b(https://www.google.com/images/srpr/logo6w.png)">A</p>
Actual Result: Logo is loaded from Google server and displayed
Expected Result: Logo should not be loaded from Google server or displayed. CSS should become /* insecure input */.