Dear Anass,

Thank you for reporting the HTML injection vulnerability on https://data.4tu.nl.
I can confirm to have reproduced it. Due to the Content-Security-Policy, it doesn't render the CSS, so what's left is just the anchor tag.

I attached a patch to resolve the problem, for which I'd like to invite you to be the (co-)author of.

This patch has been applied to our testing environment, so you can test it out further:

https://next.data.4tu.nl/search?institutions=28589&datatypes=%22%3E%3Ca%20style=%22position:absolute;margin:50px;%20background-color:%20yellow;%20z-index:1000;top:50px;padding:100px;font-weight:bold;font-size:45px;color:red;%22%20href=%22https://evil.com%22%3EClick%20here%20for%20win%201000%E2%82%AC!%3C/a%3E

If you would like to be (co-)author, then please let me know whether the "From" line (name and e-mail address) is correct.

Thank you again for your efforts and reporting!

Kind regards,
Roel Janssen

From: Info Security <infosec0011a@gmail.com>
Date: Thu, 22 May 2025 at 22:26
Subject: Vulnerability Report: HTML Injection Vulnerability
To: <researchdata@4tu.nl>

Hello,

My name is Anass, and I am a security researcher.I have discovered an HTML injection vulnerability on the following page:

Vulnerable URL:
https://data.4tu.nl/search?institutions=28589&datatypes=%22%3E%3Ca%20style=%22position:absolute;margin:50px;%20background-color:%20yellow;%20z-index:1000;top:50px;padding:100px;font-weight:bold;font-size:45px;color:red;%22%20href=%22https://evil.com%22%3EClick%20here%20for%20win%201000%E2%82%AC!%3C/a%3E

This injection allows an attacker to insert arbitrary HTML elements into the page, which could be used for phishing or to trick users into clicking malicious links.

Impact:
An attacker could display fake messages or UI elements, potentially leading to user deception or redirection to malicious websites.

Please let me know if you need further details or a proof-of-concept demo.

Best regards,
Anass K.

Security Researcher