Version
~ 1.3.22
Problem
~ Stored XSS in Project Name
如何复现此问题
- Register a account in the demo domain http://yapi.demo.qunar.com/
Then new a project:

Insert the paload xss"><img src=1 onerror=alert(/xss/)> in project name and set the project as public.
- Then put the project to as public group ,such as
test2, so every one can view the project

- When the someone including the managers & administrators views the operation dynamics of the project, malicious js code will execute.


什么浏览器
~ chrome
什么系统(Linux, Windows, macOS)
~ Linux
Version
~ 1.3.22
Problem
~ Stored XSS in Project Name
如何复现此问题
Then new a project:
Insert the paload
xss"><img src=1 onerror=alert(/xss/)>in project name and set the project as public.test2, so every one can view the project什么浏览器
~ chrome
什么系统(Linux, Windows, macOS)
~ Linux