What version of Gophish are you using?:

Gophish v0.10.1

Brief description of the issue:

When using the ping functionality to test a webhook, the response received from the webhook is reflected into the page without being properly escaped.

More on xss here.

What are you expecting to see happen? :

Execute arbitrary JavaScript

What are you seeing happen?

Execute arbitrary JavaScript

Please provide as many steps as you can to reproduce the problem:

• Step 1 - Create a php file containing our JavaScript payload (in my case test2.php):

   <?php header("HTTP/1.0 404 <script>alert(1)</script>"); ?>

  Run the php web server: php -S localhost:8443 -t .

• Step 2 - Create a new webhook in Gophish and point this to the previously created php file:

• Step 3 - Click the "Ping" button to test the new webhook and notice execution of arbitrary JavaScript: