1Şub
XSS Bypass Whitelist
I found a HTML injection on a markdown although it seems odd as the user already can use html in the box
So I tried to turn it to XSS but after a day with trial and error I concluded that the website has a whitelist that allows only and with specific attributes
<img src=#>
anything after it will results in removing the whole payload
<a href=javascript:alert(1)> will remove the :
So I tried to bypass the colon that is removed with html and url encoding but with no success
The data is inserted into a a body of a div tag like this
``<div*>data here</div*>````
Any workarounds you think about?
Thank you.