XSS vulnerability without a content security bypass in a `CUSTOM` App through Button tag