tl;dr

• SSRF using file_get_contents() and CRLF in ini_set()
• basic Header quirks to bypass waf
• sqli using column trick in SQLite to get the flag

tl;dr

• Notepad 1 - Use Set-Cookie header to get XSS on the Admin
• Notepad 1.5 - CRLF on the name parameter of Golang’s Header().Set() method
• Notepad 2 - Xsleaks using Timing-Allow-Origin header