DanielHeath
commented
4 years ago Argh! My mistake - loofah does in fact handle this (good job!)
Closed DanielHeath closed 4 years ago
DanielHeath
commented
4 years ago Argh! My mistake - loofah does in fact handle this (good job!)
Just tested this against the latest loofah version and got an
alert(1).https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/