XSS Challenge #5

Rules

• There's been a recent change in HTML standard that alters behaviour of breaking out of foreign content in innerHTML.
• The previous behaviour could be abused to mutation XSS in Firefox.
• Everything you input below will be sanitized by a handmade sanitizer and written to iframe.srcdoc.
• Can you find a way to execute alert(document.domain) in Firefox?
• Update: @PwnFunction found a nice solution that utilizes <noscript> which was an unexpected way to solve the challenge. Hence <noscript> is also disallowed now.
• Reply to my tweet when you do!

Safe HTML sanitizer

Input:

Output:

{{ sanitized }}

Iframe: