MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name.
modx modx revolution
modx modx revolution 2.7.0