software homepage : https://osclass.org/

>go to website home page
edit language
if you see the request in GET as example.com/?locale=language_country (vulnerable)
use payload : /?locale=fr_FR%20src=--"><script>alert('Salvatrucha')</script>

>for developpers :
id you're using osclass check the index.php 
in the language the osvlass doesn't filter the entities of the language name

>vulnerable code :
$language = $_GET['$locale']
fix it by adding the htmlspecialchars() function
$language = htmlspecialchars($_GET['$locale'])

>examples of vulnerable websites : 
toiledz.com

>check here for vulnerable sites : https://trends.builtwith.com/websitelist/OS-Class