top | item 39394662

(no title)

Oh yes because of the CSP. The CSP that allows forms that can change your settings... you could easily use the above bug to get some impact with an additional click on a form's submit button.

Admittedly, no full XSS anymore, but still dangerous and shows their lack of understanding and caring about security.

It's not the only place you can inject HTML and not every page has a CSP...

discuss

tmikaeld|2 years ago

I don't get why they allow injection of irrelevant url parameters in the first place, it's the first rule of any input - remove what's not used and sanitize what is.