I’ve found out that it is possible to inject HTML code in Patient Chat functionality, which allows malicious code to be stored there and potentially affect the other chat users
<a href="//evil.com">click here</a>
You’ll see that unsanitized HTML code will appear on the chat.