XSS: Beating HTML Sanitization Filters: Event Handlers
The example uses a version of the "Magical Code Injection Rainbow" taken from OWASP’s Broken Web Application Project. Find out how to download, install and use this project.
If you control the value *INJECT* in:
<a href="#" onClick="var a ='foo*INJECT*'">Click Me</a>
and the application is properly escaping both quotation marks and backslashes in your input, the following attack may succeed:
This results in the following response:
<a href="#" onClick="var a ='foo'; alert(1);//'">Click Me</a>
In this syntactic context, HTML encoding is not necessarily an obstacle to an attack. The attacker himself may even use it to circumvent other defenses.