{"detect":{"cwe":"CWE-79","exploit_examples":["/mxss/?comment=%3Cimg+src%3Dx%2Fonerror%3Dalert(1)%3E","/mxss/?comment=%3Cnoscript%3E%3Cp+title%3D%22%3C%2Fnoscript%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E%22%3E"],"notes":"Two layered bugs: (1) the regex `\\s+on[a-z]+=` is bypassed by `/` as the HTML5 attribute separator. (2) Even with a tighter sanitizer, the innerHTML round-trip reparses parser-mode tags (<noscript>/<style>/<svg>) and can re-activate stripped content.","owasp":"A03:2021 \u2014 Injection (XSS)","scanner_should_fire":true,"sinks":["regex-based HTML sanitizer + element.innerHTML round-trip"],"subtype":"mutation-xss-via-innerhtml-reparse","success_markers":["alert(1)"],"tags":["mxss","mutation","noscript","regex-sanitizer","innerhtml-reparse","attribute-separator"]},"lab_url":"/mxss/","sink":"regex sanitizer + element.innerHTML round-trip","slug":"mxss","source_url":"/source/mxss","summary":"Regex sanitizer + client-side innerHTML reparse = parser-mode escape.","title":"Mutation XSS via innerHTML round-trip","vulnerable":true}