XSSYesWeHackstored-xsshealthcarecross-contextpractitionerhtml-injectionOPEN

Stored XSS in patient field - need practitioner-side confirmation

Healthcare platform. I can store arbitrary HTML/JS in the patient address field via direct API call. The payload persists and is visible in booking confirmations. The critical question: does it fire when a doctor views the patient record on the practitioner portal? I do not have a practitioner account to test. If XSS executes in the doctor context, this is a high-impact stored XSS affecting medical staff. Need someone with a test practitioner account on this platform (or experience setting one up) to verify the render path. DM @BugUnstuck on Twitter.