Generic HTML Sanitizer Bypass Investigation

2023-07-03

[public] 19.6K views, 6.63K likes, dislikes audio only

I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass?

Get my handwritten font https://shop.liveoverflow.com (advertisement)

Checkout our courses on https://hextree.io (advertisement)

The Tweet: https://twitter.com/MRCodedBrain/status/1662701541680136195

Google XSS: /youtube/video/lG7U3fuNw3A

HTML Spec: https://html.spec.whatwg.org/multipage/parsing.html#parse-error-invalid-first-character-of-tag-name

Chapters:

00:00 - Intro

01:09 - Sanitizing vs. Encoding

02:32 - Developing HTML Sanitizer Bypass

05:03 - Attacking DOMPurify

07:08 - Attacking Server-side Sanitizer

08:31 - HTML Parse Error Specification

10:08 - Potential Impact

11:55 - hextree.io

=[ ❤️ Support ]=

→ per Video: https://www.patreon.com/join/liveoverflow

→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

2nd Channel: https://www.youtube.com/LiveUnderflow

=[ 🐕 Social ]=

→ Twitter: https://twitter.com/LiveOverflow/

→ Streaming: https://twitch.tvLiveOverflow/

→ TikTok: https://www.tiktok.com/@liveoverflow_

→ Instagram: https://instagram.com/LiveOverflow/

→ Blog: https://liveoverflow.com/

→ Subreddit: https://www.reddit.com/r/LiveOverflow/

→ Facebook: https://www.facebook.com/LiveOverflow/