Does escaping quotes in a HTML attribute context prevent XSS?



  • I'm learning about XSS and I found I can inject code in this tag a few days ago.

    Tag:

    <div id="pagenotfound" title='Cannot find /it/search/testtesttesttetst\'onload=alert(1)'>
    

    My payload:

    /testtesttesttetst'onload=alert(1)
    

    URL:

    /it/search//testtesttesttetst'onload=alert(1)
    

    I have locked < > " & % and many more characters (When I put ' automatically becomes this \' )(The last ' already comes with the page). So, is possible to inject any type of XSS payload in this website?



  • Yes, XSS is possible.

    Escaping is not a proper defense against XSS in a HTML attribute value context because the HMTL parser doesn't care about escaping (it only cares about encoding).

    When you have

    <div title='test\' foo=bar '>
    

    , browsers will interpret foo as an attribute and bar as a value.

    So why isn't your payload firing? Because onload is not a valid attribute for div. What will work is a payload such as test\'onmouseover=alert(1) :

    <div title='test\'onmouseover=alert(1) '>test</div>
    

    In some browsers, you can also gain XSS without user interaction in a div, see eg here.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2