Hi! It’s still possible to use an invalid dir
param to spoof messages in the directory breadcrumbs area.
For example, you can use URL-encoded periods to bypass the directory traversal prevention. By referencing a path that returns a 301, you can add a message in the dir param F108266:
Also, in Chrome, the presence of a null byte (%00) in the url causes a CSP error for an ajax request upon pageload, which prevents the redirect to dir=/
and allows you to put a message in the dir param F108267:
Please let me know if you need more info. Thanks!