I found at least in profile editing a possible vulnerability, using post requests, which allows users to make their own special html elements and even include scripts, ill be looking into it. For more info contact me in the comments.