XSS Gadgets
XSS gadgets disable the application’s HTML-escaping pipeline so that attacker-supplied input later rendered into a page is interpreted as markup instead of text.
Third-party packages
| Library | Trigger | Polluted property |
|---|---|---|
bs4 |
EntitySubstitution.substitute_xml |
EntitySubstitution.CHARACTER_TO_XML_ENTITY['<'] |
taipy.gui |
type(content).__name__ rendered as HTML |
<class>.__name__ |
Real-world cases
| Application | Polluted property | Mechanism | CVE |
|---|---|---|---|
| django-unicorn | EntitySubstitution.CHARACTER_TO_XML_ENTITY['<'] |
WebSocket via set_property_value |
CVE-2025-24370 |
| Taipy | <class>.__name__ |
HTTP/SocketIO via _attrsetter |
CVE-2025-30374 |