OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.