Cross-site Scripting (XSS) - Stored in elgg/elgg

An attacker can submit a report via the reported content action with a crafted `address` parameter containing JavaScript, e.g. `javascript:alert(1)`. Because the address is stored unsanitized and later rendered in a web page served to other users (such as administrators reviewing reports), the malicious payload executes in the context of the victim's session [CWE-79]. The attack requires no special privileges beyond the ability to submit a reported content report.

The vulnerable code is in `mod/reportedcontent/actions/reportedcontent/add.php` [patch_id=1699464]. The action directly assigns the user-supplied `$address` parameter to `$report->address` without sanitization, allowing arbitrary URLs to be stored.

The patch replaces the direct assignment `$report->address = $address` with `$report->address = elgg_normalize_site_url($address)` [patch_id=1699464]. The `elgg_normalize_site_url()` function validates that the provided URL is a legitimate site URL, rejecting dangerous schemes like `javascript:` or `data:`. This closes the XSS vector by ensuring only safe, normalized URLs are stored and later displayed.