BuddyPress 2.2.3 is out, which fixes several instances where URLs were not made safe (escaped) for output to the browser. If you’re using any version of BuddyPress and have not yet updated, please do so right away. If you need help, please reach out in our support forums and someone will be happy to assist you.
The BuddyPress team worked closely with the WordPress core team and several other plugin authors to coordinate the release of 2.2.3 alongside other libraries with similar issues.
These fixes have also been ported over to what will be 2.3, which we continue to run here at BuddyPress.org.