Published 17 years 2 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
I did a couple of vectors for PHPIDS recently and I was experimenting with Firefox 3.1 beta and the new HTML5 tags. I found the audio and video tags could be used for XSS, I'm sure there are others too. The vectors are quite cool because they're executed automatically within a <del datetime="2009-03-23T11:10:10+00:00">onload </del> onerror event. (Originally the onload event worked with a invalid video)
Here are the vectors simplfied:-
<pre lang="javascript"> <video src=1 onerror=alert(1)> <audio src=1 onerror=alert(1)> </pre>Check out the phpids group on sla.ckers if you want to see the wacky versions which bypass the filtering. I use setTimeout and some js tricks to beat it.