Neat trick for SVG file upload exploits. Add a foreignObject tag and include almost any working XSS payload in the SVG image file. Helpful for bypassing CSP or bypassing servers that strip strings. Many file uploads allow SVGs and are prone to tampering. <svg width="600"

Unless I'm mistaken, this #ForeignObject is something I've heard about for years, but never actually seen. It arrived in a specimen container along with a stillborn fetus. Any ideas?

You can make any HTML/CSS layout automatically scale to container if you put it into an SVG <foreignObject> element. Just discovered it when making this responsive, dark mode aware diagram.

画像ファイルのSVGを使ったフィッシング。SVGの中にHTMLのフォームを埋め込んで認証情報がPOSTできるようになってる。foreignObjectでHTMLコンテンツを埋め込めるのでHTMLと同じような悪用が可能ですね。 https://t.co/r9evPa2Dsu

this week at scalar™ we made our github readme product animations ~50x smaller (4mb -> 80kb) by embedding our entire app’s html + css inside an svg's <foreignObject> tag here's how you can do it too ↓ p.s check out this 40kb scalar animation

wish I never learned about adding html/css in github readme's🥴 last night I fetched our top 10 contributors and animated it in a pillar put in a <foreignobject> in a <svg> in a <img> in a readme .md file on our GitHub

本日の新開拓ポイント。svgで構築中のインターフェース上で突如foreignObject中のinputの値が欲しくなって、独自の名前空間を持つとのことからそれに従って内部に記述。このscript部分を外部に記述してもgetElementすら出来ないので注意すべし

Obsessed with my fresh ink from @/scabhole (on IG) at Black Cobra Tattoos 🤙🏼🐗🔪🩸 Inspired by the song “Foreign Object” by @mountaingoatsmusic, also, by the inescapable hell 2024 has been. #themountaingoats #beatthechamp #foreignobject #neotraditional #tattoo #boartattoo

Me on #UFO Twitter rn 👽 #Aliens #UnidentifiedObject #NORAD #SpyBalloon #Canada #Montana #ForeignObject #Alien #ChineseSpyBallon

it's incredible what you can do with html/css inside of a <foreignobject> inside of a <svg> inside of a <picture> inside of a <img> inside of a markdown file inside of your gitHub readme

SVG <foreignObject> is so cool, it allows you to include HTML elements embedded inside an SVG, and browsers are able to render (most of) it:

He was acting all tough until that inanimate object King Cort - So Tired ft. Mys Vybe (Radio Edit) https://t.co/lcUAnaMZ57 #attack #inanimateobject #foreignobject #fail

#foreignobject 🤪 in all seriousness this turned me on a lot. i actually imagine this in an au where nam-gyu is more obsessed with the drugs, like way more than thanos. so hes just fucking thanos for drugs. trashy namgyu mfggsd 🤤. a convo would go like

TOOTHBRUSH FOUND IN BODY AFTER 52 YEARS 📷 #MedicalMiracle #UnbelievableNews #ForeignObject #SurgerySuccess #PatientResilience #RealLifeShock

#foreignobject in his tummy. @TheGoldenRatio4 . Good thought for Mr. Grizwold

Interactive GitHub readme with pure CSS! I put: - A grid of styled `p`s with background-color - Inside an HTML page - Inside a SVG <foreignObject /> - Inside an img link - Inside GitHub markdown which does support img 😆 https://t.co/2IhNLR0vmf

This is possibly my favourite Facebook comment ever #WWE #ForeignObject

Emails are such a pain. Email clients support is abysmal. Apparently gmail nukes svgs, and the traditional fallbacks don't work. Had to resort to foreignObject and wrapping the img element in a span tag 😅

J'ai découvert la propriété des svg foreignObject et depuis j'arrête pas de mù'amuser avec mdr. Je vais bien l'utiliser et faire un article dessus je pense.