Using HTML tags are allowed by default, can cause Cross-Site Scripting (XSS)

[rozium]

Looking at this code, it use innerHTML and that means we can use HTML tag that can cause XSS Attack

Payload

this.flash('<img src=x onerror="alert(\'XSS Attack\')">');

Be careful for flash message that contain input from the user!