# Server Side XSS (Dynamic PDF)
## Server Side XSS (Dynamic PDF)
If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
Please, notice that the `
```
### SVG
Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.
```markup
```
### Path disclosure
```markup
```
### Load an external script
The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
```markup
')"/>
```
### Read local file
```markup
```
```markup
```
```markup