1.9 KB73 lines
Blame
1<html>
2 <head>
3 <link href="https://fonts.googleapis.com/css?family=Montserrat&display=swap" rel="stylesheet" />
4 <style>
5 .malware {
6 position: fixed;
7 bottom: 0;
8 left: 0;
9 right: 0;
10 height: 150px;
11 background: red;
12 color: black;
13 display: flex;
14 display: flex;
15 justify-content: center;
16 align-items: center;
17 font-family: monospace;
18 font-size: 72px;
19 }
20 </style>
21 <script>
22 function xssAttack() {
23 const div = document.createElement('div');
24 div.id = 'the-malware';
25 div.className = 'malware';
26 div.innerHTML = 'XSS Succeeded';
27 document.getElementsByTagName('body')[0].appendChild(div);
28 throw new Error('XSS Succeeded');
29 }
30 </script>
31 </head>
32 <body>
33 <pre class="mermaid">
34 %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
35 graph LR
36 A --> B
37 </pre>
38 <pre class="mermaid">
39 %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
40 %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
41 graph LR
42 A --> B
43 </pre>
44 <pre class="mermaid">
45 %%{init: { 'prototype': {'__proto__': {'polluted': 'test'}}} }%%
46 %%{init: { 'prototype': {'__proto__': {'polluted': 'test'}}} }%%
47 sequenceDiagram
48 Alice->>Bob: Hi Bob
49 Bob->>Alice: Hi Alice
50 </pre>
51 <script type="module">
52 import mermaid from './mermaid.esm.mjs';
53 mermaid.initialize({
54 startOnLoad: true,
55 useMaxWidth: true,
56 });
57 let cnt = 0;
58 let a;
59 const handler = setInterval(() => {
60 cnt++;
61 a = {};
62 if (a.polluted !== undefined) {
63 clearInterval(handler);
64 xssAttack();
65 }
66 if (cnt > 20) {
67 clearInterval(handler);
68 }
69 }, 100);
70 </script>
71 </body>
72</html>
73