I’ve found an unencoded injection point
<Param name="name" value="inject" />
Unfortunately asp.net request validation stops me creating either a new tag or ending the current param tag for
Anyone got any pointers from bug bounties for how to turn this into xss? I’m tempted to say impossible ATM, but there’s always new techniques to learn. Thanks.