Posted by Mark Steward on Dec 03

I’ve spotted this before and ignored it because it’s all HTML-escaped. You
can actually put as much as you like before the equals, presumably
including script tags. You can also include enough after the equals to
write something like “<iframe src=//xy.co>”.

Where are you seeing it unescaped? Is it some third-party handler? Try on a
clean install with just an empty .aspx and a web.config with an empty
configuration…