On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload:
<img src=x onerror=alert(1)>
Nothing happened the user input was properly sanitized. I tried URL encoding, double URL encoding, and HTML entity encoding however nothing worked :(. The group URL was like:
I thought – what if I change the groupsV3 to groupsV2 or groupsV1? I didn’t expect much, however, I changed V3 to V2, and… it worked, the URL was valid but no alert box :(. There was some other filter in action – quotes, double quotes, and parenthesis were cut. Hmmm, there must be a way to bypass it. By googling for some time I found this payload:
<img src=x onerror=setTimeout`alert\x28document.domain\x29`>
It is based on template literal expressions. You can read about it here. I used it in a forum post and.. it worked like a charm :). The alert box popped up.
See you next bug :).