Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

XSS contexts / XSS in HTML tag attributes

Dany Jan 06, 2020 01:12PM UTC

Hello. I am learning about XSS as you can see, and I can’t understand a little bit about that scriptable context: " autofocus onfocus=alert(document.domain) x=" , I understand what autofocus and onfocus do, but I have no idea about first quote --> " , and last part of this script, --> x=" . What are they for?
There's explanation of this script:
"The above payload creates an onfocus event that will execute JavaScript when the element receives the focus, and also adds the autofocus attribute to try to trigger the onfocus event automatically without any user interaction. Finally, it adds x=" to gracefully repair the following markup." What does x=" repair?
Can someone please help me because I'm trying to figure out what is happening but I don't understand, please!


Hannah Law Jan 06, 2020 02:00PM UTC Support Center agent

The first quote mark is there to terminate the attribute value. For example: <h1 href="user input">. If the user inputs a ", this allows them to terminate the attribute tag early. They can then add another attribute tag, that can perform a function (see Lab: Reflected XSS into attribute with angle brackets HTML-encoded).

This will still leave the closing quote tag for the original attribute value. Therefore, if we leave that it could cause an error to occur. In the case shown above, we add in x=" in order to prevent an error from occurring, and so repair the markup.

So in our case, we would have <h1 href="" autofocus onfocus=alert(document.domain) x="">


Dany Jan 07, 2020 10:21AM UTC
Thank you very much!! Now it's more clear for me!!

Post Your public answer

Your name
Your email address
Answer