Storage XSS vulnerability

I found a storage XSS vulnerability in pages that add news


在普通用户和游客身份发布新闻会被实体化编码，而用admin账号去做xss就可以逃逸达到存储型xss的目的
Publishing news on the identity of ordinary users and tourists will be entirely coded, and using admin account to do XSS can escape to achieve the purpose of storage xss.
![image](https://user-images.githubusercontent.com/50261633/57392848-6b706e00-71f4-11e9-9a1e-d0a4955f652e.png)

![image](https://user-images.githubusercontent.com/50261633/57393057-e46fc580-71f4-11e9-8086-2ba318607152.png)



Next, prove the vulnerability
![image](https://user-images.githubusercontent.com/50261633/57393278-5d6f1d00-71f5-11e9-92e6-01c70e07bff3.png)
Click Modify
![image](https://user-images.githubusercontent.com/50261633/57393431-a58e3f80-71f5-11e9-892c-52ca84d04f38.png)


Enter the script we built and click Submit
![image](https://user-images.githubusercontent.com/50261633/57393633-19c8e300-71f6-11e9-9008-c85ab852e19c.png)

Bombs found after submission
![image](https://user-images.githubusercontent.com/50261633/57393733-4b41ae80-71f6-11e9-8a21-4d57cfc770c6.png)
![image](https://user-images.githubusercontent.com/50261633/57393831-8512b500-71f6-11e9-9859-80f57524f129.png)






Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Storage XSS vulnerability #3

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Storage XSS vulnerability #3

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions