XSS #17
Description
Just thought about it: The Front-End should currently be vulnerable to XSS.
Not really a security concern because this software doesn't use sensitive data like passwords and everything that could be done via an injected script could as well just be done using a normal request without any further authorization.
But really in the end parameter input should be sanitized, the HTML should be escaped.
The only thing to discuss is whether or not we should do the escaping in the actual template or the users.js module, both would be possible, liquid provides an easy "escape"-filter while node doesn't really have a built-in function for that but it would be a single place to fix everything at the cost of a potentially higher complexity for more complicated URL parameters.