Adding horizon-coresec for debunking...
As the report stands, it hardly qualifies as XSS since the output is not HTML but JSON... I don't see why you would HTML-encode that output ? Or can you leverage the same bug on HTML output ?
Adding horizon-coresec for debunking...
As the report stands, it hardly qualifies as XSS since the output is not HTML but JSON... I don't see why you would HTML-encode that output ? Or can you leverage the same bug on HTML output ?