`.\n\n**Why this is same-origin**: Per the HTML specification, an `\n```\n\n**Step 2: Visit any public page that includes the Google Maps widget**\n\nNavigate to the frontend contact or footer page as an unauthenticated visitor. The browser renders the `srcdoc` iframe, decodes the entities, and executes the script in the parent page's origin.\n\n**Expected result**: JavaScript `alert(document.domain)` fires showing the target's domain, confirming same-origin execution.\n\n**Cookie theft variant**:\n```\n\n```\n\n## Impact\n\n- **Stored XSS affecting all frontend visitors**: The payload persists in the settings database and executes for every unauthenticated visitor viewing pages that include the Google Maps iframe widget.\n- **Session hijacking**: The script executes in the parent page's origin, giving access to session cookies (unless HttpOnly is set) and the full DOM.\n- **Credential theft**: An attacker can inject a fake login form or redirect users to a phishing page.\n- **Scope change**: The attack crosses from the admin backend trust boundary to the public frontend, affecting users who have no relationship with the backend.\n\nThe attack requires a compromised or malicious admin account with settings update permission. While this is a privileged starting point (PR:H), the impact crosses to all unauthenticated visitors (S:C), justifying Medium severity.\n\n## Recommended Fix\n\nReplace the regex-based attribute blocklist with a strict allowlist approach. Only allow `src`, `width`, `height`, `frameborder`, `style`, `allowfullscreen`, and `loading` attributes on iframe tags:\n\n```php\n// In modules/Settings/Controllers/Settings.php, replace lines 49-52:\n$mapValue = trim(strip_tags($this->request->getPost('cMap'), '