gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 07:40:34 -08:00
Code Issues Packages Projects Releases Wiki Activity

SVG XSS fix typo from #729 + files

Browse Source
This commit is contained in:
Swissky
2024-11-02 11:27:26 +01:00
parent 53ba2932ab
commit acb509d436
6 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
XSS Injection/README.md
View File

@@ -398,7 +398,7 @@ Simple script. Codename: green triangle
</svg>
```
More comprehensive payload with svg tag attribute, desc script, foreignObject script, foreignObject iframe, title script, animatetransform event and simple script. Codename: red lignthning. Author: noraj.
More comprehensive payload with svg tag attribute, desc script, foreignObject script, foreignObject iframe, title script, animatetransform event and simple script. Codename: red ligthning. Author: noraj.
```xml
<?xml version="1.0" standalone="no"?>
@@ -443,7 +443,7 @@ SVG 1.x (xlink:href)
</svg>
```
Including a remote SVG fragment in a SVG works but won't trigger the XSS embedded in the remote SVG element because it's impossible to add vulnerable attribute on a polygon/rect/etc sicne the `style` attribute is no longer a vector on modern browsers. Author: noraj.
Including a remote SVG fragment in a SVG works but won't trigger the XSS embedded in the remote SVG element because it's impossible to add vulnerable attribute on a polygon/rect/etc since the `style` attribute is no longer a vector on modern browsers. Author: noraj.
SVG 1.x (xlink:href)