A1: No, it's a client-side issue

A2: <img src=x>

A3: <img src=x onerror=print()>

A4: VBScript, ActiveX, Flash, CSS,...

A5: CSS , Header, AngularJS, Template literals,...

A6: The functionality might be vulnerable to CSRF which would allow the attackers to insert a XSS attack vector via CSRF.

A7:

‘</script><script>alert(1)</script>
‘ to break out of JS function
Ending the current script tag with </script>
Starting our own scripts