In Zulip Server versions prior to 1.7.2, there was an XSS issue with stream names in topic typeahead.
zulip zulip server