you’d have to find an unpatched instance to try it on I guess, I’m just telling you what I saw. Maybe hexbear’s emoji code was modified from upstream. What happened there was:

A new user showed up and posted one emoji in the megathread to get a couple of established accounts’ tokens, and then used those established accounts to first, DM spam the admins with the token stealer, then when that failed, spam porn/gore. It was cleaned up in nearly real time, and they definitely didn’t compromise an admin account first.

I can look for more details in a bit

They are incorrect I believe. An unprivileged account could change the markdown to contain malicious code before posting. Though through the admin panel one could modify an emoji and make the code embed anywhere that emoji was used not just where the attacker posted it.

Source: I watched it happen on hexbear.net (there they did not get any admins, but there was an attempt)