Generic HTML Sanitizer Bypass Investigation

Опубликовано: 24 Октябрь 2024
на канале: LiveOverflow

141,563

6.6k

I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass?

Get my handwritten font https://shop.liveoverflow.com (advertisement)
Checkout our courses on https://hextree.io (advertisement)

The Tweet:   / 1662701541680136195
Google XSS:    • XSS on Google Search - Sanitizing HTM...
HTML Spec: https://html.spec.whatwg.org/multipag...

Chapters:
00:00 - Intro
01:09 - Sanitizing vs. Encoding
02:32 - Developing HTML Sanitizer Bypass
05:03 - Attacking DOMPurify
07:08 - Attacking Server-side Sanitizer
08:31 - HTML Parse Error Specification
10:08 - Potential Impact
11:55 - hextree.io

=[ ❤️ Support ]=

→ per Video:   / liveoverflow
→ per Month:    / @liveoverflow

2nd Channel:    / liveunderflow

=[ 🐕 Social ]=

→ Twitter:   / liveoverflow
→ Streaming: https://twitch.tvLiveOverflow/
→ TikTok:   / liveoverflow_
→ Instagram:   / liveoverflow
→ Blog: https://liveoverflow.com/
→ Subreddit:   / liveoverflow
→ Facebook:   / liveoverflow