The Last version of Dolibarr has an HTML Injection in the URL Field in "Import external calendars" section:
[URL] http://XXXX/user/agenda_extsites.php
[Field Affected] URL
[Issue] HTML Injection
[PoC] Put the follow string: "><h1>Injection</h1> in the URL field and accept.
More info in:
https://github.com/Dolibarr/dolibarr/issues/4291