Gareth Heyes
LightNews LightNews
banner
garethheyes.co.uk
Gareth Heyes
@garethheyes.co.uk
3K followers 330 following 350 posts
javascript:/*--></title></style></textarea></script></xmp><svg/onload='-/"/-/onmouseover=1/-/[*/[]/-alert(1)//'>

https://garethheyes.co.uk/#latestBook
Posts Replies Media Videos
garethheyes.co.uk
BTW you can make it better without a further HTTP request. Stick a data url in the Link header :D
November 9, 2025 at 9:54 PM
garethheyes.co.uk
Oh cool
November 7, 2025 at 6:04 PM
garethheyes.co.uk
That's awesome! You can put CSS in the Link header on Firefox 😉 that way you can have blank source code hehe
November 7, 2025 at 5:53 PM
garethheyes.co.uk
The more elegant version is on the XSS cheat sheet:
portswigger.net/web-security...
Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security Academy
Interactive cross-site scripting (XSS) cheat sheet for 2025, brought to you by PortSwigger. Actively maintained, and regularly updated with new vectors.
portswigger.net
October 30, 2025 at 12:51 PM
garethheyes.co.uk
Thanks for the info about the permissions flag!
October 2, 2025 at 1:28 PM
garethheyes.co.uk
Yeah I have some scripts that use them
October 2, 2025 at 1:22 PM
garethheyes.co.uk
Will do, I assume there's nothing you can do about .env files?
October 2, 2025 at 1:11 PM
garethheyes.co.uk
That looks really handy thanks mate
October 2, 2025 at 1:08 PM
garethheyes.co.uk
Is there gonna be a video?
October 2, 2025 at 11:09 AM
garethheyes.co.uk
Hiya, sure mate. The attackers page doesn't have CSP but the victim does. If you look at:
subdomain1.portswigger-labs.net/bypassing-cs...

You'll see it does have CSP. Cheers
September 25, 2025 at 7:59 AM