[add summary of the vulnerability]
Hello there ! I found an XSS since you forgot to add the json content-type response header right there:
https://github.com/gtsatsis/RLAPI-v3-OOP/blob/508d3c610ccc9076753bdc81151a5e8d76871a3e/src/Controller/UserController.php#L93
The tier parameter is therefore returned with the wrong Content-Type (text/html).
I have been able to verify the existance of the XSS.
Note that you can bypass the '' added to both " & / by using comments such as:
[add details for how we can reproduce the issue]
Reflected cross site scripting should be fixed, as an user might be able to steal cookies/escalate privileges.