====== data URI scheme (+ XSS) ======

Lessons learned from **Google Capture The Flag 2024**: [WEB] sappy

On challenges where we need **XSS** and for example host is checked, we can do the following using **data** url schema:


<code javascript>

let url = new URL("data://osorin.net/,<script>alert()</script>");

fetch(url)
   .then(response => response.text())
   .then((response) => {
       console.log(response)
   })
   .catch(err => console.log(err));

console.log(url.host);

</code>

Other write-up(s) with different solutions:
https://adragos.ro/google-ctf-2024/#sappy