TL;DR:Total WebShield (v3.2) fails to sanitize the category URL‑parameter in its block page, allowing an attacker to inject arbitrary HTML into the extension’s UI. This can be abused to load remote content, phish users, or execute scripts in the cont...