The dlf (aka Kitodo.Presentation) extension prior to 3.1.2 for TYPO3 allows XSS.
kitodo kitodo.presentation