webmention.js has a XSS vulnerability here.
Comment name has not escaped.
https://github.com/PlaidWeb/webmention.js/blob/9457e71433c0d2430bbe767ecc5b5837140d0ee4/static/webmention.js#L330
p-name
<article>
<span><img src=x onerror=alert(1)></span>
...