When clicking on links, refering steempayout.com I dont expect any xss vulnerabilities.
There is the possibility to inject javascript to the side and this means I can do what ever I want to do with the users clicking that link...
navigate to http://www.steempayout.com
enter the username you want to check the payout from.
manipulate the parameter within the url to your needs...
example :
http://www.steempayout.com/?username=snackaholic
to
https://steempayout.com/?username=%3Cscript%3Ealert(%22hallo%22)%3C/script%3E
Screenshot of Google Chrome protecting the user:
Screenshot of the malicious code that got injected to the site:
