Nickname from vCard can be rendered as html without escaping ## poc 1. Set attacker account nickname to this: ```html <img src=x onerror=alert(1)> ``` 2. Send a contact invite to victim account 3. Victim account accepts contact request 4. Payload executes <img width="1032" height="328" alt="Image" src="https://github.com/user-attachments/assets/c59d47ff-7e3a-462b-8576-e0df0a9ab086" />
Nickname from vCard can be rendered as html without escaping
poc