HTML/CSS Sanitizer Escapes & Email Tracking

Sanitizer bypasses in email clients and rich-text editors: SVG, SMIL, CSS escapes, position:fixed. The bug class that consistently pays out on hardened clients like Roundcube and ProtonMail.

pyus3rCreator

8Resources

Save to My Collections

writeup

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

writeup

SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent

writeup

Unquoted body background attribute enables CSS injection that bypasses remote image blocking

writeup

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

writeup

SVG filter primitives bypass remote image blocking, enabling email tracking without consent.

writeup

Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes

writeup

HTML Injection via Email Address Payloads

writeup

LogicalBreach Academy

HTML/CSS Sanitizer Escapes & Email Tracking

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent

Unquoted body background attribute enables CSS injection that bypasses remote image blocking

position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.

SVG filter primitives bypass remote image blocking, enabling email tracking without consent.

Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes

HTML Injection via Email Address Payloads

HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger