At the latest version, the page title has been escaped and cannot trigger the XSS payload. However, by login to a user with other privileges, I see that Itβs still not escaped yet.
Step 1: Login as Admin, create a page in site1
with the title ">test<img src>
and see that the page title has been escaped and cannot trigger the XSS payload.
Step 2: User1 with the Author
privilege
Step 3: Login as User1 and go to view the page of site1
and see that the payload is triggered.