It is possible to inject javascript code in the letter parameter.
Steps to reproduce
pass query string ?letter=%F6%22%20accesskey=x%20onclick=%22alert(%27XSS%27) to the listing filter form URL with Firefox browser, and press the hotkey (Ctrl+Option+x on macOS or Ctrl+Alt+x on Windows).
It is possible to inject javascript code in the
letter
parameter.Steps to reproduce
pass query string
?letter=%F6%22%20accesskey=x%20onclick=%22alert(%27XSS%27)
to the listing filter form URL with Firefox browser, and press the hotkey (Ctrl+Option+x on macOS or Ctrl+Alt+x on Windows).