Details
Description
Profile settings / Favourites.
Apparently it is possible to click on the start and set a label on the favourite.
Setting "my secret name for favourite <script>alert('d');</script>" label executes the alert. Visiting favourites page later (or even opening Update favourite dialog) doesn't show alert anymore.
Seems like non-persisted XSS then, also I can't see any page to share favourites with other users, so the only potential victim of this XSS is the same user.