HTML rendering output cannot be used safely in an HTML macro

Steps to reproduce:

As a user without script or programming right, set the source of the about field in your user profile to

{{html wiki="true"}}~{~{~ht{{/html}}ml}} 

Expected result:

The about field displays html.

Actual result:

All sections of the user profile are displayed on a single page, separated by snippets of raw XWiki syntax:

The reason for this is that the rendering output of this syntax is html, which gets wrapped inside another HTML macro by the display logic of XWikiDocument. However, a syntax of the same macro opens a "nested" macro during the parsing, which prevents the closing HTML macro syntax from closing the macro. This means that the remaining part of the user profile will be nested inside that HTML macro.

From all I found this doesn't actually allow any HTML injection as everything we display is already rendered to HTML and this HTML output needs to be safe already. As a precaution, I'm still treating this as a security vulnerability. Unless we find further impact vectors, the considered impact is that it could deface parts of the wiki in ways that shouldn't be possible, so a minor impact on the integrity of the wiki.