[Khao]

"Officially", SRT files are only timecodes and text, but most players support html codes directly like <b> <i> <u> to support more formatting options than the basic SRT. I wonder if some of them simply render the text as html and could be vulnerable to similar attacks. I say "Officially" because SRT has no standard, it just evolved through usage and it's a fucking mess, as I'm a software dev working on a subtitling editor software.

[olau]

I seen a similar problem in another context where a browser engine is used to render some simple HTML in an app for convenience, but then suddenly turns into something exploitable because nobody is thinking about updating the engine when a bug is found in an esoteric (for the app) feature.

Embedded web engines should probably have a minimalistic safe mode.