tl;dr
* CSS injection using url forging
* leaking password using :empty selectors

Original writeup (https://blog.bi0s.in/2023/01/23/Web/bi0sCTF22-Emo-Locker/).