Key Information Affected Products Public Chat Room Vulnerable File send_message.php Affected Versions V1.0 Vulnerability Type Stored XSS Attack Root Cause The server failed to properly escape user input, storing it directly in the database and displaying it in the browser, which led to HTML/JavaScript code being interpreted and executed. Impact Attackers can inject malicious scripts, resulting in: - Inserting JavaScript code into chat messages - Stealing session cookies or authentication data - Launching phishing attacks, man-in-the-middle attacks, etc. Description This vulnerability exists in the chat message storage logic. User-generated content (such as HTML tags and JavaScript code) is not properly HTML-encoded, stored directly in the database, and displayed on HTML pages. Attackers can inject malicious HTML and JavaScript content, which will execute in the browsers of other users when they view the page, leading to cross-site scripting (XSS) attacks. Vulnerability Details and POC Vulnerability Name: Stored XSS Attack POC Example: Recommended Fixes 1. Escape all user-generated output using HTML entity encoding. - Use functions such as , , or to prevent HTML/JavaScript execution. 2. Input Validation: - Apply filters or blacklists to prevent users from submitting HTML/JavaScript code.