This is a xss script:
The code between
<script> tags will be translated to
alert(1) by the browser and executed.
But if I don't use a
<svg> tag the code won't be translated to script. Can anyone tell me why this happens? How does
<svg> tag work?
Best How To :
The use of character references within script tags is explicitly disallowed by the HTML parser according to the HTML 5 specification.
HTML5 has a separate script parsing mode as one of a number of tokenisation modes that vary with context. Script parsing does not allow character references, some of the other parsing modes do.
SVG is based on XML where the rules are much simpler and more straightforward. Basically character references are allowed anywhere because there aren't different context sensitive parsing modes.
For SVG in html, the HTML specification says
The svg element from the SVG namespace falls into the embedded content, phrasing content, and flow content categories for the purposes of the content models in this specification.
In other words, parse all SVG text as phrasing content. All SVG is a single custom tokenisation mode for the HTML 5 parser.