- Published on
Exploiting prototype pollution in a vulnerable jQuery plugin to manipulate the HTML sanitizer's whitelist and achieve XSS. By injecting custom attributes into the global object, the attack bypasses client-side filtering and executes a malicious payload.