everyday-pelican/content/media/2015/03/svg-edit-2.7/extensions/form-test.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta charset="utf-8" />
    <title></title>
		<script src="http://code.jquery.com/jquery-1.10.2.min.js"></script>
</head>
<body>
<form action="filesave.php">
<input type="hidden" value="" name="output_svg" />
</form>
<script>
/*globals $*/
function xhtmlEscape(str) {'use strict';
		return str.replace(/&(?!amp;)/g, '&amp;').replace(/"/g, '&quot;').replace(/</g, '&lt;'); // < is actually disallowed above anyways
	}
$('<form>').attr({
					method: 'post',
					action: 'filesave.php',
					target: 'output_frame'
				}).append('<input type="hidden" name="output_svg" value="' + xhtmlEscape('<svg width="640" height="480" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg"><script>alert(document.cookie);<\/script><\/svg>') + '">')
					.appendTo('body')
					.submit().remove();
</script>

</body>
</html>
new posts 10 years ago			`<!DOCTYPE html>`
			`<html xmlns="http://www.w3.org/1999/xhtml">`
			`<head>`
			`<meta charset="utf-8" />`
			`<title></title>`
			`<script src="http://code.jquery.com/jquery-1.10.2.min.js"></script>`
			`</head>`
			`<body>`
			`<form action="filesave.php">`
			`<input type="hidden" value="" name="output_svg" />`
			`</form>`
			`<script>`
			`/globals $/`
			`function xhtmlEscape(str) {'use strict';`
			`return str.replace(/&(?!amp;)/g, '&').replace(/"/g, '"').replace(/</g, '<'); // < is actually disallowed above anyways`
			`}`
			`$('<form>').attr({`
			`method: 'post',`
			`action: 'filesave.php',`
			`target: 'output_frame'`
			`}).append('<input type="hidden" name="output_svg" value="' + xhtmlEscape('<svg width="640" height="480" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg"><script>alert(document.cookie);<\/script><\/svg>') + '">')`
			`.appendTo('body')`
			`.submit().remove();`
			`</script>`

			`</body>`
			`</html>`