← vuln-lab catalog

SVG-based XSS

User-supplied SVG markup from ?svg= is dropped into the page via innerHTML. SVG carries its own script surface (onload, <image onerror>, <animate onbegin>) so it slips past naive "no <script>" filters.

(rendered SVG appears here)

Trigger: /xss/svg.html?svg=<svg><image href=x onerror=alert(1)></svg>

Detected by: browser_cdp_svg_xss_probe