Website does incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
javaSCRIPT:alert(origin)
1.Go to https://www.rosariosis.org/demonstration/
and login with administrator account
https://www.rosariosis.org/demonstration/Modules.php?modname=Resources/Resources.php
3.Create new link with content javaSCRIPT:alert(origin)
4.Click the link and observe a pop up
https://drive.google.com/file/d/164Sk7viMV4gHvrmDykJZ9euivfoHlN-1/view?usp=sharing
https://drive.google.com/file/d/1-v6coqFoi0fQxjyak61XlH6GEFLiN2x7/view?usp=sharing
https://drive.google.com/file/d/1JGwM0_WBShHRWnAc9l-9zY26ayZF3rSW/view?usp=sharing