filterXSSByDOM selectedcontent Bypass Demo

This page steps through how a live NodeIterator can miss an event handler cloned back into <selectedcontent> after the sanitizer removes the default-blacklisted <object> element.

Steps

Current NodeIterator node
selectedcontent subtree
Node still carrying an event handler

Payload Input


      

      

        Current selectedcontent
        

      

      

        
        Not executed