https://api.standoff365.com
host. But flaw in regular expression which checks image source host allows attacker to load images from any host that starts with https://api.standoff365.com
substring.[...] if (d = t.properties.src, u !== Hc.NotFound && !new RegExp('^'.concat((0, p.VY) (), '.+')).test(d)) { e.next = 14; break } [...]