Plone up to and including 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.
plone plone