Xss

HTML parser

by YesWeHack

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

JS context

Does this protection is enough to protect you against XSS ?

spoiler: it's not

Goal: alert(flag)

Hints

Hint #1

expand_more

The HTML parser and the JS parser are not the same.

Hint #2

expand_more

The HTML parser run first, then it's Javascript turn.

Solution

Read the solution

expand_more

Because the HTML parse goes first, you can use a closing </script> tag to end the script early. Then you can simply inject some HTML to trigger the execution.

$user = </script><script>alert(flag)</script>

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result