Title: CSTI vulnerability in search functionality Description: I discovered a client-side template injection (CSTI) vulnerability in the search functionality of the website. This vulnerability allows an attacker to inject arbitrary code into the client-side template engine, which can be executed on the user's browser. To reproduce the vulnerability, follow these steps: Visit the website and navigate to the search page In the search field, enter the following string: {{ 7 * 7 }} Submit the search query The injected code will be executed on the user's browser, and the result (49) will be displayed on the page Impact: An attacker could use this vulnerability to execute arbitrary code on the user's browser. This could be used to steal sensitive information, such as the user's session cookie or other sensitive data. Recommendations: To fix this vulnerability, the website should properly sanitize user-supplied input to prevent the injection of malicious code. This can be done by using a library or framework that automatically escapes special characters in user-supplied input, or by manually implementing this functionality in the application's code. Proof of Concept: I have included a proof-of-concept code snippet below that demonstrates the vulnerability: Copy code <form action="https://website.com/search"> <input type="text" name="q" value="{{ 7 * 7 }}"> <input type="submit" value="Search"> </form> Steps to reproduce: Copy the code snippet above and save it to a file (e.g. poc.html) Open the file in a web browser The injected code will be executed on the user's browser, and the result (49) will be displayed on the page. Additional Information: I have attached a screenshot that shows the result of the injected code being executed on the user's browser.