An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.