Cross-site Scripting (XSS) - Stored in getgrav/grav
Jan 2nd 2022
: instead of
: in the
href attribute of
<a> tag to bypass the xss checks happening in the application.
Proof of Concept
1 A low-priv user create a page with the following payload:
2 Victim visit the page and click on
CLICK HERE TO EXPLOIT THIS XSS
XSS alert will show the domain name.