We are using a Form to collect leads and automatically send them an email using a Workflow. The emails are personalised i.e. "Hi Max," but the first_name property comes from the form data. This means that someone could enter "evil.com" as their first name and and email address as their email and we would send "Hi evil.com," (which becomes a link)
If we had access to Hubl filters in email templates we could mitigate this risk by filtering the first_name property (using replace() for example).
This is a security issue and I'm sure we're not the only company sending emails containing untrusted user input.