Published 11 months ago • Last updated June 17, 2025 • ⏱️ < 1 min read
I wanted to learn WebSockets, since I’d never done any development work with them before. I had this idea stuck in my head - using HackPad to test multiple browsers simultaneously - because constantly switching between browsers to test edits was frustrating. That led to the concept of Hacking Rooms: a simple chat channel where you can test HTML flaws by sending messages to HackPad as you try out different vectors.
It took around 3 days to build and it's still a bit rough around the edges but it's already useable and I found an interesting HTML flaw on Safari and Chrome on my lunch hour!
Check it out! Hacking room
And here is the vector I found:
<svg><title><![CDATA[--></title><img src onerror=alert(1)>]]>
I use a title tag and a CDATA section, in a CDATA you are supposed to be able to use tags without them being rendered until the closing section is found ]]> but Chrome and Safari convert it to a comment which allows you to "break out" of the CDATA using a closing comment tag. You can see a video of how I found it here: