When I worked on OPENIDM-7451, I found bug.. I disabled js validation for name of object during create new object and set it with XSS input. (With developer console I edited html for this form input - removed all js validators) Then I create new object and idm accepted it. Then in idm console were some errors - bad name of object ..
Name for new object
Exception in idm console
Bundle: org.forgerock.openidm.repo-orientdb  [org.forgerock.openidm.repo.orientdb(60)] The modified method has thrown an exception
org.apache.felix.log.LogException: com.orientechnologies.orient.core.exception.OStorageException: Error in creation of new cluster 'managed_<script>alert("XSS");</script>' of type: PHYSICAL
Caused by: java.io.IOException: Invalid file name 'managed_<script>alert("xss");</script>'
Then is not possible access to objects list - internal error.
Idm shouldn't accept this input ..
I tried it with idm 4.5.1 RC3 and idm 5.0.0 RC9 where is same error.
I use orientdb as repo ..
Also I tried on master 5.5.0 (revision: bdd514a, postcommit-2544) where idm not create new object and show to user "internal error" and throw new exception to idm console.
Failure to update configuration for managed
java.io.IOException: Failed to store configuration in repository: An error occurred processing the query request.
Caused by: org.forgerock.json.resource.InternalServerErrorException: An error occurred processing the query request.
Caused by: com.orientechnologies.orient.core.exception.OSerializationException: Found invalid % character. Ensure it is opened and closed correctly.
It should be same also for idm 4.5.0 and 5.0.0