## Exploit

1. At `http://10.0.2.15/?page=feedback` there is a form whose content can be input by users and that is not filtered in any way
1. Simply add a feedback with any name and a message containing an HTML script to execute, for example `<script>alert(123)</script>`

## Fix

[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting]()

Never render untrusted HTML, JS, CSS or URLs without encoding/sanitization.