← All Labs
Reflected XSS — SVG Sanitiser Bypass
ProfilePics renders user-supplied SVG as an avatar. The sanitiser strips <script> tags but leaves SVG event-handler attributes intact. Find a payload that fires.
ProfilePics renders user-supplied SVG as an avatar. The sanitiser strips <script> tags but leaves SVG event-handler attributes intact. Find a payload that fires.