Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim’s browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage.
I used 

(Line Feed character) in the href
attribute of <a>
tag to bypass the xss checks of invalid_protocols
(e.g. javascript:) happening in the application.
STEP 1: A low-priv user create a page with the following payload:
<a href>CLICK HERE TO EXPLOIT THIS XSS</a>
STEP 2: Victim visit the page and click on CLICK HERE TO EXPLOIT THIS XSS
XSS alert will show the domain name.
Attacker can execute arbitrary javascript code in the victim’s browser