[jowlo]

> You forgot to read the sentence before that

Oh, yes, I did, sorry! I thought this was found in production code.

I do support them publishing this and like I said: The code is audited to find exactly these kinds of errors, so I am not at all trying to shame them here. Their process worked, they found and fixed the vulnerabilities.

OTOH, not having a proper CSP preventing inline JS, the innerHTML usages and that XSS together does not go too well with the overall extremely positive sound of the headlines. All those three are in the 101 of secure web app development.

Aaand, with the numbers of users they have, tons of them will right click and open in a new tab every hour. Its also easily exploitable: send an image with very small text. However, being in a different tab i am unsure how much info you would be able to steal, but sessions/tokens would be possible I guess.