Generic HTML Sanitizer Bypass Investigation
I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass?
Get my handwritten font (advertisement)
Checkout our courses on (advertisement)
The Tweet:
Google XSS:
HTML Spec: #parse-error-invalid-first-character-of-tag-name
Chapters:
00:00 - Intro
01:09 - Sanitizing vs. Encoding
02:32 - Developing HTML Sanitizer Bypass
05:03 - Attacking DOMPurify
07:08 - Attacking Server-side Sanitizer
08:31 - HTML Parse Error Specification
10:08 - Potential Impact
11:55 -
=[ ❤️ Support ]=
→ per Video:
→ per Month:
2nd Channel:
=[ 🐕 Social ]=
→ Twitter:
→ Streaming:
→ TikTok: @liveoverflow_
→ Instagram:
→ Blog:
→ Subreddit:
→ Facebook:
1 month ago 00:13:49 1
2 months ago 00:30:04 1
2 months ago 00:12:15 9
3 months ago 00:09:12 1
3 months ago 00:00:00 1
![Fadead / Artificial Extinction - Split [2024 Grindcore]](https://sun9-76.userapi.com/4JKUeo_rDrjyGfxXJJV2Oh6uknRcYc8jEUfQwg/6Z_WsIpIJWE.jpg)
3 months ago 01:17:09 1
3 months ago 01:03:46 1
4 months ago 00:19:57 2
4 months ago 00:11:57 1
4 months ago 00:14:45 1
5 months ago 00:11:21 1
6 months ago 00:08:14 1
6 months ago 00:10:40 1
6 months ago 00:10:22 1
6 months ago 00:12:54 4
6 months ago 00:11:41 1
6 months ago 00:15:54 1
6 months ago 00:20:16 1
6 months ago 00:11:20 1
7 months ago 00:10:52 1
7 months ago 00:11:27 3
7 months ago 00:10:30 1
7 months ago 00:12:08 18
7 months ago 00:11:37 21
