In galaxyproject/galaxy, the 'description' and 'synopsis' fields of libraries are vulnerable to stored XSS injection. If a user sets the synopsis or description of a library to ''"><img src=x onerror=alert(1);>' they can set a stored XSS payload that fires whenever someone visits the /libraries page. Normally libraries are only editable by admins, but it is possible for admins to give edit permissions for specific libraries to regular users, meaning that this vulnerability could be used by an attacker on a normal user account if an admin gives them edit permission for a library.