Possibility for HTML injection in email notifications
There is no sanitization on the thread's title in the message's body.
Class Notification
Method getMessageDiscussionReply
https://gitlab.com/DefendTheWeb/website/blob/master/src/lib/Notification.php