NOSTR is a protocol that doesn't detail all implementation details so it wouldn't be fair to point HTML as culprit for flaws of web browsers.
That is a good paper, the leaks are mentioned the app Damus (notes browser) which wasn't really much worried about verifying the authenticity of the notes. The details: https://crypto-sec-n.github.io/
These are apps developed on free time and made available for free so these issues are bound to exist and be repaired.
NOSTR is a protocol that doesn't detail all implementation details so it wouldn't be fair to point HTML as culprit for flaws of web browsers.
That is a good paper, the leaks are mentioned the app Damus (notes browser) which wasn't really much worried about verifying the authenticity of the notes. The details: https://crypto-sec-n.github.io/
These are apps developed on free time and made available for free so these issues are bound to exist and be repaired.