Cross Site Scripting Vulnerability in Latest Release

Hi, I would like to report Cross Site Scripting vulnerability in latest release.
Description:
Cross-site scripting (XSS) vulnerability inquokka/admin/actions.py 90, 151 line, Because there is no filter username.
The vulnerability code is:
`
flash(Markup(
                    f'Profile block for {user["username"]} '
                    f'Created at: '
                    f'<a href="{newlink}">{new.inserted_id}</a>'
                ))
`

Steps To Reproduce:
1.Create a user, username is xss payload, like: <script>alert(3)</script>
2.Select the username and Create user profile block, then trigger the payload.
![1](https://user-images.githubusercontent.com/8274796/54740028-0e453c80-4bf5-11e9-9b67-7c5c11ebe98c.png)
![2](https://user-images.githubusercontent.com/8274796/54740030-12715a00-4bf5-11e9-9e70-d4b565b2c48f.png)

author by jin.dong@dbappsecurity.com.cn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cross Site Scripting Vulnerability in Latest Release #675

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Cross Site Scripting Vulnerability in Latest Release #675

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions