Openfolio: xss in /browse/contacts/

ID H1:38189
Type hackerone
Reporter defmax
Modified 2015-01-14T18:46:53


hey guys

i just found an xss in openfolio

i just created an contact in google with name as "><img src=x onerror=prompt(1)> and gave an email as random

url >>

then i synced openfolio with google contacts

then i went here >>

then i clicked on invite of "><img src=x onerror=prompt(1)> , i got the xss popup ~

POC >>