img
Typical HTML element which can carry XSS Payloads.
• HTML5 added new ways to include special content on web pages, like graphics with <svg> or math formulas with <math>. These elements are treated differently by web browsers than regular HTML, which means they follow their own set of rules and have their own namespace.
• I have retrieved elements with their behaviour towards mutation from the paper Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials.
Typical HTML element which can carry XSS Payloads.
Typical HTML element which can carry XSS Payloads.
In HTML treated as img, valid SVG or MathML element.
By default, the element's content is not rendered,Can render content in other SVG or MathML namespaces.
Basic HTML element,terminate foreign content.
Basic HTML element.
Form elements cannot be nested enforced by parsing specification.
Both cannot be nested,not enforced by parsing specification.
Terminates foreign content,optional end tag.
No end tag, no content allowed,terminate foreign content.
No end tag,no content allowed.
No interactive content allowed,example : iframe,not enforced by parsing sepcification.
Parsed differently depending on scripting flag : either HTML or javascript content.
Open's a table,parsing specification enforces no nesting,terminates foreign content.
Restrictive content,together they make up a table.
Only option,optgroup and script supporting content are allowed,special parsing rules when inside table.
Restriction on where it can occur,depending on attribute values allwed content changes.
Only text content.
Not supported anymore,no content,no end tag.
No element specification anymore,still has parsing rules,used to render markup as text without executing it.
No element specification anymore,still has parsing rules.
Make up a list,allowed to contain script supporting elements,terminate foreign content.
Only allowed to contain phrasing content,terminate foreign content.
Restricted content model,terminates foreign content.
Shall only occur inside dl,terminates foreign content.
Deprecated.Renders everything below as plain text,can not be closed.
No element specification anymore,still have parsing rules,contain raw text element.
Iframe element specification says no content allowed,but parsing specification says raw text content.
Namespace transition from HTML to SVG.
Allow to embed HTML segments inside a SVG.
Namespace transistion from HTML to MathML.
Allow to embed HTML segments inside MathML.
Text content when in HTML,otherwise markup.
Deprecated for both HTML and SVG.
HTML namespace - text content,singleton: not enforced by parsing specification.
SVG namespace - can contain markup.