Store XSS in image url field

[Iceware]

Portfolio Version 1.2.0
PHP Version: 7

Login user who has "Manage portfolio " privilege can inject arbitrary web script or HTML via editor, XSS vulnerability will be triggered by visiting /portfolio/${project_title}.

POC

Title field also vulnerable to XSS,