This problem has already been issued before the "passing cainiao A" issue. Happy buyers replied "fixed" on February 22 "!
1) Well, register a user and set the profile picture;
2) Click Save Avatar and capture the package. The data still contains the "pic" parameter;
3) If you want to break through, let's take a look at the defenses that happy buyers have made. After some tests, we found that:
3.1) If ">" is not filtered, but it is not used successfully, give up;
3.2) after the pic parameter is added with the constructed xss code, the system will automatically add a "behind it;
3.3) so I thought of commenting out this double quotation mark, and adding "//" to the commit, I found that the system has ignored a "/".
3.4) Well, if you want to comment out one, add "//", and submit only one "/";
4) Well, now the defense method of the system is probably clear. resubmit the packet capture and add the xss Code submitted after the "pic" parameter;
5) successfully broke through the system defense, and the lovely window popped up. I heard that this profile picture is displayed in many places, endangering your knowledge;