Is the XSS exploitable? Can you insert data in the phone field via a form submit or URL param? Seems like the attack requires exceedingly unlikely user interaction.<p>Did you contact the Portuguese National Data Protection Agency? If you can leak phone numbers, they should be informed.<p>Cool findings :)