This article reverse-engineers Claude's generative UI implementation, revealing it uses a show_widget tool call with direct DOM injection (not iframes), progressive documentation disclosure via read_me, and live HTML streaming from CDNs secured by Content Security Policy. The author then implements a similar system for pi, a terminal-based coding agent, using Glimpse (a native macOS WKWebView library) to render interactive widgets.
XSS vulnerability in dynamically generated PDF endpoint where unsanitized user input (utrnumber parameter) is rendered as HTML/JavaScript in PDFs, allowing arbitrary JavaScript execution under file:// origin and enabling local file read via XMLHttpRequest to access /etc/passwd.
A researcher escalated XSS in a PhantomJS image rendering endpoint to arbitrary local file read by exploiting JavaScript execution in the file:// context, using document.write to force synchronization and XMLHttpRequest to exfiltrate files from the Lambda environment at /var/task/.
A technique to escalate self-XSS in Moodle into full XSS against arbitrary users by exploiting double session cookies with different paths combined with login CSRF or impersonation functionality, allowing arbitrary JavaScript execution in victim context for full account compromise.
CVE-2019-17004 is a semi-universal XSS vulnerability in Firefox for iOS that allowed attackers to execute JavaScript on arbitrary origins by exploiting insufficient checks on JavaScript execution via Location response headers, originating from the bookmarklets functionality. The vulnerability was also found in Brave for iOS and both vendors patched it after responsible disclosure.