Timestamp: 13:30
Might be nitpicky but Alexis said that we prepended the payload with "> because there is a filter in place and that the quotation marks made it become “normal data” or something. When in fact all this does is escaping the input HTML tag in order for the payload to execute.
Filtering isn’t in place here nor are we bypassing anything with ">. It’s simply an escape sequence.
