Hi guys!
Do you know if it is exploitable that I can inject some payload into the link rel=“canonical” tag?
<link rel="canonical" href="http://google.com/xss{PAYLOAD_HERE}"/>
The > symbol is filtered, the " one is not so I can break the tag attribute but can not escape from it.
Hi skavans,
if you can insert ", then you may want to try to add " rel="import" href="https://someurljusttotest/ and see if the browser (it just works on Chrome) makes a request to someurljusttotest.
Hi,
It has been a while since the topic have started but I wonder whether you succes to exploit or not. I couldn’t use the technique that @stefanofindsbugs tells. having 2 rel in a tag doesn’t help because browser just care about first one, second one is ignored (at least in latest chrome 63.0.3239 version )
Hi @monochrome, I replied to the other thread you started here Any Idea to Trigger Execution of JavaScript in rel Tag.
sorry I posted this comment to another post of yours first and had to delete it 
was wondering if you ever got any closure to your question? I found myself at the same spot and I need help