@WHHackersBR reported a XSS vulnerability that existed within a redirect page in our OAuth authorization flow. The value of the authorization callback URL that users register when creating a new OAuth application is inserted into an anchor href attribute on the redirect page. By registering an OAuth application with a javascript: URL, an attacker could insert JavaScript into this anchor tag.

This vulnerability was mitigated by our use of CSP in modern browsers. In addition, this vulnerability would require a user to manually click the link on the redirect page to trigger execution of JavaScript. We addressed the behavior by preventing users from registering callback URLs with potentially dangerous schemes.