Investigate Alternative XSS Detection

[githubname1]

Hello. In the above challenge '' Cross Site Scripting Two '' the following produces the XSS alert although it is not captured as correct by the application <marquee/onstart=alert('XSS')>. Am i doing something wrong or is it a bug? This is in Iceweasel version 38.5.0

[etnoy]

Same if you replace marquee with svg or something similar. Doesn't seem to be detected by security shepherd as a valid solution.

[markdenihan]

Shepherd has some gaps when it comes to detecting successful XSS attacks. This is one of them. We should investigate a different solution. Putting this on the backlog