pwneglyph logo

Note

web javascript execcommand xss html-sink wysiwyg

Use rich-text commands like insertHTML as explicit parser sinks when you control both command and value.

document.execCommand() as an HTML Sink

Rich-text commands like insertHTML are explicit parser sinks. If an attacker controls both the command and the inserted value, the browser parses and inserts active HTML.

Why It Works

  • insertHTML (and similar) feed their argument straight into HTML parsing within the editable context.

Vulnerable Pattern

  • WYSIWYG editors, games, or custom UI components exposing execCommand wrappers to untrusted input.

Exploit Flow

  1. Verify whether the code path calls insertHTML, createLink, or another command reaching HTML parsing.
  2. Adapt the payload to the surrounding DOM and CSP.

Variations

  • SVG, event handlers, DOM clobbering, or CSS-based payloads if inline script is blocked.

Common Blockers

  • Modern browsers deprecate execCommand inconsistently, but many still implement the dangerous commands.

PoC Sketch

document.execCommand("insertHTML", false, "<svg/onload=alert(1)>");

Good Situations To Use It

  • The app wraps execCommand with attacker-influenced input.
  • An HTML-parsing command is reachable.
  • You control both command and value.

Sources

  • fcsc2026/web/10_fast_fishers