Rating: 1.0
Looking into code of app.py we see that filter_url() adds all image urls to img-src policy.
```
def filter_url(urls):
domain_list = []
for url in urls:
domain = urllib.parse.urlparse(url).scheme + "://" + urllib.parse.urlparse(url).netloc
if domain:
domain_list.append(domain)
return " ".join(domain_list)
@app.route('/display/<token>')
def display(token):
user_obj = Post.select().where(Post.token == token)
content = user_obj[-1].content if len(user_obj) > 0 else "Not Found"
img_urls = [x['src'] for x in bs(content).find_all("img")]
tmpl = render_template("display.html", content=content)
resp = make_response(tmpl)
resp.headers["Content-Security-Policy"] = "default-src 'none'; connect-src 'self'; img-src " \
f"'self' {filter_url(img_urls)}; script-src 'none'; " \
"style-src 'self'; base-uri 'self'; form-action 'self' "
return resp
```
We just need to inject script-src policty that allows us to execute.
Payload:
``````