Generic HTML Sanitizer Bypass Investigation

I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass? Get my handwritten font https://shop.liveoverflow.com (advertisement) Checkout our courses on https://hextree.io (advertisement) The Tweet:   / 1662701541680136195   Google XSS:    • XSS on Google Search - Sanitizing HTML in ...   HTML Spec: https://html.spec.whatwg.org/multipag... Chapters: 00:00 - Intro 01:09 - Sanitizing vs. Encoding 02:32 - Developing HTML Sanitizer Bypass 05:03 - Attacking DOMPurify 07:08 - Attacking Server-side Sanitizer 08:31 - HTML Parse Error Specification 10:08 - Potential Impact 11:55 - hextree.io =[ ❤️ Support ]= → per Video:   / liveoverflow   → per Month:    / @liveoverflow   2nd Channel:    / liveunderflow   =[ 🐕 Social ]= → Twitter:   / liveoverflow   → Streaming: https://twitch.tvLiveOverflow/ → TikTok:   / liveoverflow_   → Instagram:   / liveoverflow   → Blog: https://liveoverflow.com/ → Subreddit:   / liveoverflow   → Facebook:   / liveoverflow  

Join Today
The Same Origin Policy - Hacker History
▶︎

The Same Origin Policy - Hacker History

Elite XSS Hacking Masterclass (Official Hands-On Course)
▶︎

Elite XSS Hacking Masterclass (Official Hands-On Course)

Authentication Bypass Using Root Array
▶︎

Authentication Bypass Using Root Array

I Built a Virus for this Cocky Scammer
▶︎

I Built a Virus for this Cocky Scammer

Master Pydantic AI - Part 3: Capabilities, RAG & GraphRAG (Research + Email Agents)
▶︎

Master Pydantic AI - Part 3: Capabilities, RAG & GraphRAG (Research + Email Agents)

DEF CON 33 - Unmasking the Snitch Puck: IoT surveillance tech in the school bathroom - Reynaldo, nyx
▶︎

DEF CON 33 - Unmasking the Snitch Puck: IoT surveillance tech in the school bathroom - Reynaldo, nyx

How to Bypass DOMPurify in Bug Bounty with Kevin Mizu (Ep 111)
▶︎

How to Bypass DOMPurify in Bug Bounty with Kevin Mizu (Ep 111)

PINK & ORANGE GRADIENT IN HD [3 HOURS]
▶︎

PINK & ORANGE GRADIENT IN HD [3 HOURS]

40Hz Binaural Gamma Waves - Ultra Deep Concentration
▶︎

40Hz Binaural Gamma Waves - Ultra Deep Concentration

Trying to Find a Bug in WordPress
▶︎

Trying to Find a Bug in WordPress

Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials
▶︎

Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials

What is a Protocol? (Deepdive)
▶︎

What is a Protocol? (Deepdive)

Attacking AI - Jason Haddix - NDC Security 2026
▶︎

Attacking AI - Jason Haddix - NDC Security 2026

How Rockstar fit an entire city into PlayStation 2 memory
▶︎

How Rockstar fit an entire city into PlayStation 2 memory

DO NOT USE alert(1) for XSS
▶︎

DO NOT USE alert(1) for XSS

The Age of Universal XSS
▶︎

The Age of Universal XSS

Anthropic is Completely F*cked.
▶︎

Anthropic is Completely F*cked.

VPNs, Proxies and Secure Tunnels Explained (Deepdive)
▶︎

VPNs, Proxies and Secure Tunnels Explained (Deepdive)

How the Best Hackers Learn Their Craft
▶︎

How the Best Hackers Learn Their Craft

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro
▶︎

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro