phantom img load

xss.py

@@ -193,8 +193,8 @@ def doTest( url, method='GET', post_params='' ):
     # _phantom = '/usr/local/bin/node'
 if not os.path.isfile(_phantom):
     parser.error( 'phantomjs not found!' )
-# _phantom_cmd = _phantom + ' ' + os.path.dirname(os.path.realpath(__file__)) + '/phantom-xss.js'
-_phantom_cmd = _phantom + ' --load-images=false ' + os.path.dirname(os.path.realpath(__file__)) + '/phantom-xss.js'
+_phantom_cmd = _phantom + ' ' + os.path.dirname(os.path.realpath(__file__)) + '/phantom-xss.js'
+# _phantom_cmd = _phantom + ' --load-images=false ' + os.path.dirname(os.path.realpath(__file__)) + '/phantom-xss.js'
 # _phantom_cmd = _phantom + ' ' + os.path.dirname(os.path.realpath(__file__)) + '/puppeteer-xss.js'
 # print( _phantom_cmd )
 
@@ -281,7 +281,7 @@ def doTest( url, method='GET', post_params='' ):
 # source: https://twitter.com/brutelogic/status/1138805808328839170
 if not n_payloads:
     t_payloads = [
-        '\'"--><img src=x onerror=prompt(1)>',
+        '\'"--><img src=x onerror=prompt(1)>', # phantom image loading is disabled
         '"autofocus onfocus=prompt(1)//',
         '\'"--></script><script>prompt(1)</script>',
         "'-prompt(1)-'",