XSS in new.loading.page.html