description

The code problem occurred in OJ / admin-tools / cal_scores.php. The $ realname in the output form was obtained from the database. There was no filtering of angle brackets “<>” during registration, which caused the reorganization here. xss injection

Attack process

首先注册一个账号,Class为"软工163"，Real Name is 
<details open ontoggle=['yds_is_so_handsome'].find(\u0070rompt)>

Then visit / OJ / admin-tools / cal_scores.php, set the classList to soft 软工163, and click submit

the attack works

poc

<details open ontoggle=['yds_is_so_handsome'].find(\u0070rompt)>