NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting