Grav 1.5.2 and the accompanying Admin plugin 1.8.10 provide an important new security feature. Grav now includes a powerful new security checking functionality that can be used from both the CLI and the Admin plugin.
From the command line you can simply run bin/grav security
and Grav will run through all your pages and display a list of pages with potential XSS vulnerabilities.
From the Grav admin, you will get a notice at the top of the Content tab if a potential XSS issue is detected.
By default any non super admins will not be able to create or edit pages with XSS issues. A whitelist of user permissions which can ignore the XSS warnings can be edited in the Configuration Security panel. You can also disable a particular XSS rule or tweak the list of Dangerous HTML Tags:
We plan on adding even more reporting functionality in upcoming release of Grav. This could include a scheduled job that runs daily and emails you any new XSS issues found, as well as a dedicated section of the admin that will show information similar to the CLI command, and list all current known XSS issues on your site.