Hey, thanks - it's a valid concern, though an important point (which isn't really well explained in the document) is that this payload will work even if the tag isn't properly terminated.

One of the reasons for using such broken payloads is to demonstrate that browsers will happily parse broken markup and that approaches such as removing "<.*>" won't be effective as a technique to prevent XSS (because such a regexp won't match an unterminated tag like the example you pointed out).

Still, it could at least use a better explanation. The documentation fairy will take a look!

Thank you for this explanation. It makes sense to me now as before I would have expected the "<.*>" approach to make it safe. It's a shame browsers are so resilient :)

Some of their products have bug trackers. That said, I submitted some fixes to their Android docs in the Android issue tracker years ago. Really obvious stuff like where their sample code would cause a crash due to trying to start a dialog with the wrong type of context, etc.. They never fixed them. So there is essentially no way. They apparently have a bug bounty system, but you would have to exploit their mistakes to do injection or something before the mistake would qualify.

Thanks for at least attempting to contribute! If you'll point me towards the patches, or at least the bad docs, is be happy to help get them fixed.