CWE-79 - Reflected Cross Site scripting vulnerability at /InvisibleRecaptcha.php

[NagliNagli]

Hey, I'd like to request you to issue a CVE for this pull request.

Summary

As I'm doing security research during my bug bounty activities I stumbled upon an issue with a client that uses invisible-recaptcha

specifically speaking, the issue is within the "ac" parameter

As I discovered the vulnerability during my BlackBox approach, I decided to report it in this repo and to see the white box root cause of the matter.

The url of my proof of concept looked like the following:

invisibleRecaptcha?sitekey=XXXXXX&lang=XX&label=XXX&ac=</script><a%20href=javascript:alert(document.domain)>hi</a>

The payload I used was to escape the javascript context that the input was injected into and insert my own Cross Site Scripting code.