The manager can use xss in the place where the product name is set in the background
Use the default account password "admin/admin&123" to log in url 'http://localhost:3456/php-ocls/admin/?page=product/manage_product&id=2'
Set the product name as follows
then click save
Visiting the homepage will trigger xss



