On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload:

<img src=x onerror=alert(1)>

Nothing happened the user input was properly sanitized. I tried URL encoding, double URL encoding, and HTML entity encoding however nothing worked :(. The group URL was like:

https://www.redacted.com/members/modules/groupsV3/

I thought  – what if I change the groupsV3 to groupsV2 or groupsV1? I didn’t expect much, however, I changed V3 to V2, and… it worked, the URL was valid but no alert box :(. There was some other filter in action – quotes, double quotes, and parenthesis were cut. Hmmm, there must be a way to bypass it. By googling for some time I found this payload:

<img src=x onerror=setTimeout`alert\x28document.domain\x29`>

It is based on template literal expressions.  You can read about it here. I used it in a forum post and.. it worked like a charm :). The alert box popped up.

See you next bug :).

Reward: 👕