Mike Rifgin
Reputation: 10745
Is an XSS exploit possible when injected code is output inside quoted html attributes
If I have a piece of HTML like so:
<div class=“feature-some-id”>
and some-id portion of the class has originated from user input via a query param, and that query param has not been escaped on the sever I am able to do this:
<div class=“feature-some-id</script>”>
The html is output via an express app like so:
res.render('my-template', {
classNameSuffix: req.params.id
});
so it's raw user input.
Is there any way an attacker can break out of that script so that a script could be executed?
Upvotes: 0
Views: 66
Answers (1)
dave
Reputation: 64657
If you can pass in a quote as part of the query param
?id=some-id"><script>alert()</script>
and have it end up, unescaped, in req.params.id, then you would get
<div class="feature-some-id"><script>alert()</script>
which obviously you could change alert() for any code you wanted to execute.
Upvotes: 2
Related Questions
- XSS attacks and style attributes
- Can a single quote leads to XSS attacks?
- Creating HTML with intentional HTML Injection
- Does HTML encoding prevent XSS security exploits?
- Is this vulnerable to dom-based xss?
- Html injection into javascript code
- Escaping unquoted attributes
- Can an attacker insert malicious code in html5 data attributes
- Is a XSS attack possible when the point of injection is the value of the style attribute?
- Is this code vulnerable to XSS attacks?