remark42 before 1.6.1 allows XSS, as demonstrated by «Locator: Locator{URL:» followed by an XSS payload. This is related to backend/app/store/comment.go and backend/app/store/service/service.go.
