1.5 KB61 lines
Blame
1<html>
2 <head>
3 <link href="https://fonts.googleapis.com/css?family=Montserrat&display=swap" rel="stylesheet" />
4 <style>
5 .malware {
6 position: fixed;
7 bottom: 0;
8 left: 0;
9 right: 0;
10 height: 150px;
11 background: red;
12 color: black;
13 display: flex;
14 display: flex;
15 justify-content: center;
16 align-items: center;
17 font-family: monospace;
18 font-size: 72px;
19 }
20 </style>
21 <script>
22 function xssAttack() {
23 const div = document.createElement('div');
24 div.id = 'the-malware';
25 div.className = 'malware';
26 div.innerHTML = 'XSS Succeeded';
27 document.getElementsByTagName('body')[0].appendChild(div);
28 throw new Error('XSS Succeeded');
29 }
30 </script>
31 </head>
32 <body>
33 <pre class="mermaid">
34 <!-- prettier-ignore -->
35 %%{init: { 'fontFamily': '\"></style><img src=x onerror=xssAttack()>'} }%%
36 graph LR
37 A --> B
38 </pre>
39 <script type="module">
40 import mermaid from './mermaid.esm.mjs';
41 mermaid.initialize({
42 startOnLoad: true,
43 useMaxWidth: true,
44 });
45 let cnt = 0;
46 let a;
47 const handler = setInterval(() => {
48 cnt++;
49 a = {};
50 if (typeof a.polluted !== 'undefined') {
51 clearInterval(handler);
52 xssAttack();
53 }
54 if (cnt > 20) {
55 clearInterval(handler);
56 }
57 }, 100);
58 </script>
59 </body>
60</html>
61