Dear Anass,
Thank you for reporting the HTML injection vulnerability on https://data.4tu.nlhttps://data.4tu.nl/. I can confirm to have reproduced it. Due to the Content-Security-Policy, it doesn't render the CSS, so what's left is just the anchor tag.
I attached a patch to resolve the problem, for which I'd like to invite you to be the (co-)author of.
This patch has been applied to our testing environment, so you can test it out further: https://next.data.4tu.nl/search?institutions=28589&datatypes=%22%3E%3Ca%...
If you would like to be (co-)author, then please let me know whether the "From" line (name and e-mail address) is correct.
Thank you again for your efforts and reporting!
Kind regards, Roel Janssen
________________________________ From: Info Security <infosec0011a@gmail.commailto:infosec0011a@gmail.com> Date: Thu, 22 May 2025 at 22:26 Subject: Vulnerability Report: HTML Injection Vulnerability To: <researchdata@4tu.nlmailto:researchdata@4tu.nl>
Hello,
My name is Anass, and I am a security researcher.I have discovered an HTML injection vulnerability on the following page:
Vulnerable URL: https://data.4tu.nl/search?institutions=28589&datatypes=%22%3E%3Ca%20sty...
This injection allows an attacker to insert arbitrary HTML elements into the page, which could be used for phishing or to trick users into clicking malicious links.
Impact: An attacker could display fake messages or UI elements, potentially leading to user deception or redirection to malicious websites.
Please let me know if you need further details or a proof-of-concept demo.
Best regards, Anass K.
Security Researcher