New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields