Is an XSS attack possible under these constraints?

Question

The output is:

<img src="http://example.com/[input]"
     oncontextmenu="openUrl('http://example.com/[input]')">

Where [input] is the user input, which is sanitised through this function:

a => {
  a = String(a);
  a = this.replaceAll(a, "&", "&");
  a = this.replaceAll(a, '"', """);
  a = this.replaceAll(a, "'", "'");
  a = this.replaceAll(a, "<", "&lt;");
  return a = this.replaceAll(a, ">", "&gt;")
}

in other words, we seemingly can't break out or use quotes of any kind?

Is an XSS attack possible at all under these constraints? Or is it possible to redirect the user to any domain besides example.com? Or indeed, load an image from (or make a request to) evil.com? Thanks!

Answer 1

Yes, this is a XSS vulnerability.

While you do escape the HTML attribute syntax fine (so that nothing can break out of the src and oncontextmenu values), it does lack

• validation of the example.com path. src attribute values can be malicious on their own, and if someone gets the visitor to load http://example.com/logout, http://example.com/user-content?from=eve&file=bad-icon or http://example.com/redirect.php?target=evil.com/, they might have won. Yes, this depends on who controls example.com and possible vulnerabilities in there, but getting the victim to load certain URLs is part of many attacks.
• escaping of the JS string content! Let's say input is '.replace(/.*/,'evil.com')+', you will end up with oncontextmenu="openUrl('http://example.com/'.replace(/.*/,'evil.com')+'')". The HTML entities won't help you there - ' in the attribute becomes ' in the script.