Openfolio: xss in /browse/contacts/

2014-12-04T11:14:57
ID H1:38189
Type hackerone
Reporter defmax
Modified 2015-01-14T18:46:53

Description

hey guys

i just found an xss in openfolio

i just created an contact in google with name as "><img src=x onerror=prompt(1)> and gave an email as random

url >> https://www.google.com/contacts/u/0/#contact/new

then i synced openfolio with google contacts

then i went here >> https://openfolio.com/browse/contacts/

then i clicked on invite of "><img src=x onerror=prompt(1)> , i got the xss popup ~

POC >> http://postimg.org/image/6po3vo89l/