Possible XSS vulnerability without a content security bypass