This is a xss script:
<svg><script>alert(1)</script></svg>
The code between <script>
tags will be translated to alert(1)
by the browser and executed.
But if I don't use a <svg>
tag the code won't be translated to script.
Can anyone tell me why this happens? How does <svg>
tag work?
The use of character references within script tags is explicitly disallowed by the HTML parser according to the HTML 5 specification.
HTML5 has a separate script parsing mode as one of a number of tokenisation modes that vary with context. Script parsing does not allow character references, some of the other parsing modes do.
SVG is based on XML where the rules are much simpler and more straightforward. Basically character references are allowed anywhere because there aren't different context sensitive parsing modes.
For SVG in html, the HTML specification says
In other words, parse all SVG text as phrasing content. All SVG is a single custom tokenisation mode for the HTML 5 parser.