Log into an existing account on a site with AvaTax address validation enabled
Click Address Book > Add New Address
Complete the address form with the following value in one of the address fields:
"><script>alert('XSS')</script>
Click Save Address
Expected result:
Either the address will be saved or a modal will display suggesting an alternative address or reporting that the address couldn't be verified:
Actual result:
The injected script is executed, resulting in a pop-up window:
rsisco
commented
7 years ago
Steps to reproduce:
"><script>alert('XSS')</script>Expected result: Either the address will be saved or a modal will display suggesting an alternative address or reporting that the address couldn't be verified:
Actual result: The injected script is executed, resulting in a pop-up window: