If you don't echo back stuff from user and don't send that to other users like with chat application or when you don't echo from users and exec commands (using execHash option) there are no security implications.
If you does echo stuff from user, then the user can put [[!;;;;javascript:alert("xss")]xss]
, if you also allow formatting from user.
So you will be safe if you use this:
$('body').terminal(function(text) {
this.echo($.terminal.escape_brackets(text));
});
and you'll also be safe.
And if you need to echo stuff from users and allow formatting then you need to validate user input like in normal XSS prevention but strings will be different.
./
../
and/
but if you want to link to file in same directory you need to put./
in front.