@ehomakov @garethheyes indeeed. Also it enables XSS if injection in <link> and "<>" is filtered. And if any WYSIWYG editor allows <link> tag
-
-
Or rel=import href=data: on chrome
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Uh, how about exploiting this: <link rel="alternate" hreflang="en-us" href="INJECTIONPOINT" />
-
This is possible using Access keyshttps://twitter.com/garethheyes/status/1062643854501928965 …
-
Wow thanks! But, this is possible only in Chrome but XSS auditor blocks it. :(
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.