Sanitze user input, even if restricted by html
The following XSS can be eleminated, by checking if the input is a number, but I think there are more attacks possible.
Go to the dashboard and open the trafficgraph-settings. Change the input type from number to text for the refresh-interval element and put some xss content inside, e.g.
and voila, there you have it.
I think there are tons of XSS-attacks possible. The problem is, that these settings are shared via user accounts, so a "unprivileged" user can change those settings and attack an admin for example.