I created a test developer account. The code provided by default for the Blog collection's list page has an XSS vulnerability that allows a arbitrary javascript to be run by injecting code in a URL param. For example, displaying cookies, which could contain user data:
https://matt-healy-5ky6.squarespace.com/blog?tag="><img src=x onerror=prompt(document.cookie);>
Some browsers do some auto-escaping to prevent this code from running, but e.g. Firefox for Mac does not.
The problematic template code in blog.list is this:
<!-- TAG FILTER RESULTS ex: http://base-template.squarespace.com/blog/?tag=tag2 -->
{.section tagFilter}
<p>Filtering by Tag: {@}</p>
{.end}
I've solved this problem on my production site by escaping html when printing the search query:
<!-- TAG FILTER RESULTS ex: http://base-template.squarespace.com/blog/?tag=tag2 -->
{.section tagFilter}
<p>Filtering by Tag: {@|html}</p>
{.end}
It seems worth updating the example templates to fix this vulnerability.