Hey Cosmo Devs,

I didn't have a direct email with Developers so I am opening this ticket for public. (please send me your email so I can give you more serious security issues).

Anyway, in the HTML of the index and almost every page it says:

            if(window.location.href.indexOf('#!') === -1)
                window.location.href = window.location.protocol + '//' + window.location.host + '/#!' + window.location.pathname;
        </script>

Note: it is IE 9 Commented so, it will primary target IE users. but using encodeURLComponet(window.location.pathname) would pretty much solve this issue. this is basically like the one Wordpress got last time. something like: http://www.paulosyibelo.com/2015/04/facebooks-parse-dom-xss.html

Thanks,

Hey thank you for making us aware, should be patched for next release (v5) for other issues that are better off in email you can send them my way - jordan@wearedunn.com