Closed willgoSe closed 5 years ago
This is an expected behaviour. That’s what an Author can do. An author can post anything including HTML and JavaScript. This is a self-hosted blog which the owner has full control. It is not a shared blogging platform like Medium where you need to consider blocking the malicious usage.
There is Self-Stored Cross Site Scripting (XSS) vulnerability. When the author uploads the essay contains the script code, the browsers will execute these script code. Poc:
Everyone navigate to the blog page, Payload would be triggered: