HTMLSANDBOX

KEY POINT

• Create arbitrary html documents but you have to:
• Set csp to default-src none
• Event handlers and tags massive blacklist
• Content-Type miss charset informations
• ISO-2022-JP shenigans
• Chrome content-type sniffing