TYPO3 prior to 4.3.4 and 4.4.x prior to 4.4.1 allows XSS in the textarea view helper in an extbase extension.
typo3 typo3