There is a stored XSS vulnerability

First request to add a questionnaire and enter the xss payload in the title of the questionnaire.

![man1](https://github.com/wkeyuan/DWSurvey/assets/63273184/24fad86f-bd96-429c-9a19-bdf774115f8d)

The DWSurvey system does not filter user input when processing requests.

![code1](https://github.com/wkeyuan/DWSurvey/assets/63273184/8387f78a-b025-4d37-aa23-e5cc68c19a4d)

xss payload is inserted into the database.

![code2](https://github.com/wkeyuan/DWSurvey/assets/63273184/92b6468f-1da6-496e-bbab-1b89e578f0e5)
![code3](https://github.com/wkeyuan/DWSurvey/assets/63273184/4e6b515d-b8a6-4a67-a2c0-1fedcd81f116)

The payload is not triggered at the title, but the surveyName is directly set to innerHtml in the popover.

![eval](https://github.com/wkeyuan/DWSurvey/assets/63273184/ad211c02-4336-43a7-859f-40e84ebf96f3)
![front](https://github.com/wkeyuan/DWSurvey/assets/63273184/af030977-580c-4244-b515-7d0afe240deb)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

There is a stored XSS vulnerability #112

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

There is a stored XSS vulnerability #112

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions