Profile nickname / icon rendering XSS
Check whether small profile fields such as nicknames, status text, or icon URLs become executable code in attribute or HTML contexts.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Render nicknames with textContent only
- Encode values according to the attribute context before placing them in attributes
- Validate icon URLs with URL parsing plus host/protocol allowlists
Payload
Payload to copy
Checks quote breakout when a nickname is placed inside title, aria-label, or value attributes.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- Profile fields are reused everywhere: comments, notifications, admin lists, share cards. One missed rendering path can become stored XSS.
- A nickname is text, not HTML. Keep React/DOM default text rendering and check that formatters do not switch to
dangerouslySetInnerHTML. - Icon fields are mostly URL-policy problems. Do not pass user-provided icon URLs directly into
src, CSS URLs, or innerHTML without protocol, host, and content-type checks.