I tested the demo site you provided. I see that there is an XSS vulnerability. I hope you can check and provide a fix as soon as possible.
link video PoC
https://drive.google.com/file/d/186jNX2EJW_aIaknmOmwBhQ663SSzv289/view?usp=sharing
1.Go to my preferences and edit
2.Edit email and press save –> intercept burp
3.Add this line to the email in burp and press forward
"><script>alert(1)</script><"
4.Turn off intercept in burp and go back to my preferences click on email to compose message
I see that the code that I added to the email has been executed