Not XSS, but you need to be careful about allowing through things like the LTR/RTL override characters.