XSS has been around forever, but Mutation XSS (MXSS) makes it even trickier to stop even with all the defenses! In this video, we’ll break down why server-side sanitizers keep failing when it comes to handling browser quirks and parsing inconsistencies. From real-world examples to sneaky bypasses, you’ll see why sanitizing HTML on the server is a losing game.


00:00 - Intro - One bug many defenses
01:31 - TL;DR?
02:13 - What do we need a sanitizer?
03:54 - How to perform sanitization?
05:35 - innerHTML internal
06:25 - What are mutations?
07:28 - What can go wrong with mutations?
07:43 - The first known MXSS!
10:01 - sanitize-html MXSS bypass
10:49 - Parsing differences between SVG, HTML, MATHML
15:07 - Parsing differentials and why server-side sanitization is hard
16:35 - Solution for server-side sanitization