FreshRSS

πŸ”’
❌ Secure Planet Training Courses Updated For 2019 - Click Here
There are new available articles, click to refresh the page.
Yesterday β€” July 9th 2025Your RSS feeds

Bypassing Live HTML Filtering to Trigger Stored XSS – DOM-Based Exploitation

I recently tested a language-learning site that used live frontend filtering to block HTML input (e.g., <img> <svg> tags were removed as you typed).

But by injecting the payload directly via browser console (without typing it), the input was submitted and stored.

Surprisingly, the XSS executed later on my own profile page β€” indicating stored execution from a DOM-based bypass.

I wrote a short write-up here:

https://is4curity.medium.com/xss-before-submit-a-dom-based-execution-flaw-hidden-in-plain-sight-5633bdd686c9

enjoy

submitted by /u/General_Speaker9653
[link] [comments]
❌