Cross Site Scripting
I found by chance this publication: https://www.vulnerability-lab.com/get_content.php?id=2233
The problem is the usage of jQuery.append for input coming from use (jQuery does not escape text in this method).
The described PoC is not really bad because only the user can infect its own session. But I performed a review of all usages and I found more like the CSV export name (which can be shared between users).
As solution, I propose to replace all usage of jQuery.append for non-fixed text by jQuery.text (which escape the HTML). I also think we should do for translated fixed-text because the translation process is open and some malicious user may try to inject suspicious translations in the next released.