Thanks to: @pentest_swissky, @signalchaos, @itsecurityguard, @mickeyc Follow me on https://twitter.com/si9int to stay updated! ### 1. XML JavaScript can be embedded inside a XML file which then (after being uploaded) might trigger the payload while being rendered. **Example** ``` alert(1) ``` *xmlns* is the XML name-space, *something* the prefix for the name-space (to avoid name conflicts with other XML fragments). If we don't want to treat our JavaScript payload as XML we can use the *CDATA* section: ``` alert(1)]]> ``` *CDATA* stands for "Character Data" and means that included data (inside the tag) could but should not be interpreted as XML. *CDATA* is part of the XML document, while a comment is not. ### 2. SVG Since *.svg* is an XML-based vector image format, we can also embed JavaScript into SVG files using a *\ ``` *\* creates a graphic which contains at least three sides (0,0; 0,50; 50,0). There are much shorter payloads for *.svg* files, including only the JavaScript part. Example (executes when SVG image renders): ``` ``` Again we can use the *CDATA* for embedding our payload "silently": ``` </desc><script>alert(1)</script> = isn't rendered part of the graphic and provides a description of any SVG element ``` --- *Thanks to:* @pentest_swissky, @signalchaos, @itsecurityguard, @mickeyc