Generic HTML Sanitizer Bypass Investigation
I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass?
Get my handwritten font (advertisement)
Checkout our courses on (advertisement)
The Tweet:
Google XSS:
HTML Spec: #parse-error-invalid-first-character-of-tag-name
Chapters:
00:00 - Intro
01:09 - Sanitizing vs. Encoding
02:32 - Developing HTML Sanitizer Bypass
05:03 - Attacking DOMPurify
07:08 - Attacking Server-side Sanitizer
08:31 - HTML Parse Error Specification
10:08 - Potential Impact
11:55 -
=[ ❤️ Support ]=
→ per Video:
→ per Month:
2nd Channel:
=[ 🐕 Social ]=
→ Twitter:
→ Streaming:
→ TikTok: @liveoverflow_
→ Instagram:
→ Blog:
→ Subreddit:
→ Facebook:
8 months ago 00:05:28 1
8 months ago 00:24:15 1
8 months ago 00:24:28 13
8 months ago 01:08:00 1
8 months ago 00:06:26 1
8 months ago 00:10:52 1
8 months ago 00:21:42 1
8 months ago 00:00:42 1
8 months ago 00:06:43 1
8 months ago 00:19:33 17
9 months ago 00:04:00 1
9 months ago 00:49:24 1
9 months ago 00:20:35 1
9 months ago 00:14:29 1
9 months ago 00:07:05 1
9 months ago 00:11:13 1
9 months ago 00:11:47 9
9 months ago 00:21:59 1
9 months ago 00:12:50 4
9 months ago 00:12:23 1
9 months ago 00:12:13 1
9 months ago 00:08:10 1
9 months ago 00:12:17 5
9 months ago 00:12:11 1
