I'm just browsing through the community's collections and an idea popped in my head... if there's a username URL parameter on one page, how about I test it somewhere else?
So I tried it and this popped up.
Unfortunately, it's not very functional, and it still shows everyone's published collections.
It also works with the Explore tab, however that doesn't show that user's projects.
It looks like the website handles it well, since moving to a new page still keeps the username parameter.
That's not XSS. That happens because when they set the title of projects, they use the .innerHTML rather than .innerText, so that's why the scripting works.
Just patched this one. It was a one-character slip on my side...
These are not serious vulnerabilities, but still the standard practice when someone finds a possible vulnerability on an online service, more so if it's a free software one, is to notify the developers privately before teaching all other users how to exploit it.
Thank you for reporting, but please use a bit of Internet etiquette for next time
unfortunately that email never works for me. In the past two times I've contacted the email I get an error email reply that I'm not in some Google workspace group