How I was able to Bypass XSS Protection on HackerOne’s Private Program

So, I was testing a private program on HackerOne and tried to find some basic vulnerabilities. There was a functionality where I can write a Post and Publish it on the internet. So i was looking for Cross Site Scripting bug there but application was a bit strong enough ( not fully

) to protect it. The Editor looks like:

I tried with basic paylods like “><svg/onload=confirm(1);> and all but failed. Then i noticed that application was removing all the payloads having “on” word like onerror, onload , basically event handlers.

Then I tried script alert(1); and the output:

I was like

I quickly went through the post of my brother Armaan and the great Ak1t4 to get idea on how i could bypass this. Some of the payloads i used and the outputs I got are;





I was like

The last Attack


and Boom..!!

I know i did some noobish way to get alert but I am noob and just want to tell to the community that “There is always a way, you have to just try harder“.