XSS STORED AT socialclub.rockstargames.com (add friend request from profile attacker)

In this report, the researcher discovered a Stored XSS vulnerability in the Add Friend functionality. It worked by filling the optional Message field with a XSS payload utilized an SVG object tag and some character escaping. When the recipient of the malicious friend request clicked or tapped the Accept button on the request, the payload would fire. This was resolved by utilizing anti-XSS libraries, and by stripping certain characters and HTML tags from user-provided input.