I was wondering what is the opinion about decoding payloads prior to passing them over to the getsafehtml/fragment.
In some cases, when one or more encoding is applied to a payload all getsafehtml does is leave it encoded. it still make me nervous to not see some of it stripped.
What y'all think ?
example: <SCRIPT SRC=http://testsite.com/xss.js></SCRIPT>