I'm preemptively adding this to security since I won't try a possible XSS on a public wiki, in case someone else notices that.
A <tt> tag from the topic title was leaked in an echo notification of this flow post (a thanks action).
tt is allowed in wikitext. I'm not sure if something like a <script> could be leaked too, which could be disastrous. Confirmed: It's not an issue.
It also parses templates, see T123543
Earlier testing by @Etonkovidova. All of them should be plain text:
Tested on test.wikipedia.org
data | Flow topic titles | Echo flyout | Notification page |
<code></code> | plain text | as code text | as code text |
<script>alert(1)</script> | plain text | plain text | plain text |
<tt> | plain text | is not displayed | monospace; changes all text to monospace |
{{release}} | plain text | red link | red link |
<!--T:1--> | plain text | plain text | plain text |
<translate> | plain text | plain text | plain text |