Listen to this Post
The vulnerability manifests in four ways when custom policies are used: First, by preserving foreign namespaces (SVG/MathML) via a custom policy, an attacker can inject active HTML integration points (e.g., <foreignObject>, <annotation‑xml>) or mutation‑XSS payloads that survive sanitization, as well as SVG `filter=”url(…)”` attributes that trigger external fetches. Second, policies that keep `
