Thanks to @sebsel for pointing this out!
Quill has bookmarklets to quickly launch a few of the interface, specifically replies, bookmarks and favorites. I use the "favorite" bookmarklet on a regular basis, as it allows me to favorite the page I am viewing with just one click. The bookmarklet is quite simple. It essentially just redirects to Quill's "favorite" page with the URL of the page the browser was previously on in the query string, and it also appended a parameter "autosubmit=true".
Sebastiaan noticed that this was actually quite trivial to craft an attack for, by embedding an iframe in a web page with a URL of:
I can't believe I didn't notice this when I added that feature!