Closed
Description
Describe the bug
Apparently custom reasons are not sanitized on output.
To Reproduce
Steps to reproduce the behavior:
- Have a mod account level or higher.
- Go to Manage Awards in ModCP.
- Give an award to a user and input payload for reason.
<script>alert('XSS')</script>- Payload executes when viewing award on awards.php and user profiles.
Expected behavior
Such code shouldn't be executed.