There is an persistent xss vector in the 'move' page action on a page, where the javascript/html payload is included in the name of the page.

Steps to reproduce:
1.create a page named: "''/><video onerror=alert(234234) src=xxx>'kasdfjas'dfasdf

2. (on the page) click on the "move" option under the tools drop-down menu
3. see an alert box with the number 234234 in it.