Editorial Stack

CMS Platform

Editors can submit arbitrary HTML and the public page renders it raw. A separate form-preview flow also reflects user input directly back into HTML without escaping it.

Back to hub Reload scenario

The app only checks for non-empty text before storing.

Expected Findings

Stored XSS through draft and post content.
Form preview reflects unsanitized input into HTML.
Editor surface is reachable without auth.
Validation only checks presence, not content safety.

Primary Flows

Public posts GET to render stored HTML
Submit post POST body=<html> to store raw content
Form preview POST title=<html> to reflect unsafely in response HTML

Signals

Validation

if (body.trim().length > 0) saveDraft(body)

Preview Render

preview.innerHTML = form.title