Navigate to http://mtg.jflyfox.com/front/article/378''%3Csvg%3E%3Chtml%3E%3Cscript%3Ealert(1)%3Cbr%3E gives an alert() popup
There happens to be a few character limits in payload composing not by design (which indeed provides some sort of protection to it), <space>,+,%0d,%0a,<slash>,%2f won't be working in there. As everything was still in a url-encoded format and slashes were caught by routing mechanism in advance causing a 404.
Navigate to
http://mtg.jflyfox.com/front/article/378''%3Csvg%3E%3Chtml%3E%3Cscript%3Ealert(1)%3Cbr%3E
gives analert()
popupThere happens to be a few character limits in payload composing not by design (which indeed provides some sort of protection to it),
<space>,+,%0d,%0a,<slash>,%2f
won't be working in there. As everything was still in a url-encoded format and slashes were caught by routing mechanism in advance causing a 404.Tested on Microsoft Edge 42.17134.1.0.