StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template
Summary
The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output.Details
The template here adds a figure with a class that is substituted in. This value is provided to sprintf here, an unescaped version of the class supplied by the user.$template = <<
%s%s%s%s
HTML;PoC
Note the double quote immediately following the single quote to escape the class attribute in the template:dQw4w9WgXcQ