CVE-2018-7197 Stored XSS in admin/blog reaction post due to Unsantized Url embedding

[Alyssa-o-Herrera]

Hello In addition to the command injection that was mentioned in one of the preceding issues, it's also vulnerable to stored XSS and blind stored XSS in the Admin panel. This is a high severity issue as it allows attackers to specifically target users or even administrators. As an admin who checks the blog to edit it or delete it will be met with the alert which means JS is executing admin side which could allow theft of admin credentials and session.
Reproduction is quite easy.

1. First install cms, login with administrator to create a blog, create a page and insert blog to it, then logout as admin.
2. Then we go our blog post and file out the reaction information. We fill in name/email/message with generic information. For our url we'll provide this string, http://google.com/?"><svg/onload=confirm(document.domain)>
   
3. Once we submit we'll see an alert echo'ing our website's domain name. Then log back in as admin and go to blog posts to see it firing there as well.

[Alyssa-o-Herrera]

Additionally this has been assigned CVE-2018-7197. The severity of this issue is high as an attacker can use this to successfully take over an administrative account, and perform authenticated actions if they're able to steal the session and credentials of an administrator.

[BSteelooper]

see my pull request #48