Closed kahoot-karl closed 10 months ago
I cannot reproduce, sorry. I see no bug here.
Edit: github stripped some tags, I have changed the formatting
The clean DOM will result in a naked audio tag with javascript code attached to the onerror callback, isn't that a vulnerability?
There is no actual injection or bypass, you just see harmless text there, as expected.
XSS injection. Can be reproduced with https://cure53.de/purify
Input
Given output
Expected output
Not sure