XSS attempt
![" onload="console.log('Im in your mainframe :3')"](/apple-touch-icon-precomposed.png)
turns into
![" onload="console.log('Im in your mainframe :3')"](/apple-touch-icon-precomposed.png)
turns into
Hmm let's try adding a span into a link
[<span onload="console.log('Im in your mainframe :3')"></span>](/)
turns into
<span onload="console.log('Im in your mainframe :3')"></span>
bold?
[<b onclick="console.log('Im in your mainframe :3')">I should not appear as bold</span>](/)
turns into
<b onclick="console.log('Im in your mainframe :3')">I should not appear as bold</span>
cool, no arbitrary element addition
nitori wrote (edited )
ebic fail
again, good HTML sanitizing