no XSS stuff, people worked pretty hard at finding all those vectors in the backend, and the standard Poast frontend (Soapbox) dev is actually competent and has CSP that mitigates that. Soapbox has never had a XSS vulnerability I believe
Even a couple of years ago when I reported exploitable HTML injection (forms + css), there wasn't XSS