SVG / MathML onload payload
Check whether SVG, MathML namespaces, event attributes, and nested HTML bypass weak filters.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Verify whether your service actually needs to allow svg/math tags
- Verify that event attributes and nested HTML inside namespaces are removed
- Use structural HTML filtering instead of a tag-name blacklist
Payload
Payload to copy
A representative SVG payload that executes through onload without a script tag.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- SVG / MathML use namespaces different from HTML, so weak filters can miss their structure and event attributes.
- If your service does not actually need SVG, the simplest and safest option is to remove it.
- If you must allow it, validate tags, attributes, and URL attributes structurally.