Explore a novel web hacking technique that bypasses XSS mitigations through script gadgets in this 47-minute conference talk from AppSec EU 2017. Learn how attackers can abuse legitimate JavaScript code to execute malicious scripts, even in the presence of HTML sanitizers and Content Security Policy. Discover real-world examples of script gadgets in popular JavaScript libraries, APIs, and applications. Examine the process of injecting benign elements that match gadget selectors, leading to unintended script execution. Gain insights into the limitations of current XSS prevention methods and understand the potential risks associated with this technique. Delve into specific examples, including gadgets in Knockout.js and expression parsers, to better comprehend the mechanics of this attack vector. Conclude with a summary of the implications and potential future developments in this area of web security.