in the erpnext demo in below link
and functionality “Comment” is vulnerable to XSS like Stored , Reflected , Cookie , possible for more
and follow the below images
to get confirm
impact: An attacker can use this vulnerability to inject malicious code into the application, which will execute in the browser of any user who is viewing the relevant application content. The attacker code can perform wide variety of actions such as stealing the target user cookies or performing actions on their behalf and also can capture the keystrokes of the user.