Researcher found a vulnerability in our contact selector, in which a contact name with HTML would trigger this HTML to be executed. We have improved our contact selector to handle customer names as text instead of HTML.