I was re-reviewing some parser functions, and found that the Listing extension allows arbitrary urls, including "javascript:", etc.
E.g.,
<buy name="asdf" url="javascript:alert(1)" >anything</buy>
And the name parameter is vulnerable to reflected/stored xss:
<buy name="<scriupt>alert(2)</script>">anything</buy>