chiroyce @chiroyce

<img src="x" onerror="alert('hi! here is some fresh new xss, enjoy🍴 ')">

Feb 18, 2022, 2:04 PM
5

comments

Did this ever work? I found out that almost none of the attributes get passed through the API

*I tested style attribute too. Didn’t work

even if this worked jeffalo’s dompurify would cut the invalid src and possibly the onerror @jeffalo pls confirm