<img src="/user/13.jpg"
onmouseover="showToolTip('Click for a larger version of this picture of Joe Smith')" />"An attacker targeting this site, puts javascript in the full name field of his profile. The attack vector is ..."
Joe');alert('XSS "... and the img tag becomes".
<img src="/user/13.jpg"
onmouseover="showToolTip('Click for a larger version of this picture of Joe');alert('XSS')" />"What do you think will happen here?"
I was looking at the code. The attack vector looked escaped to me. This is clearly data within an HTML attribute... and we should thus escape for characters causing is problems in HTML attributes. However David of course had an intention showing me this.
I was about to give up, when it dawned on me. This was of course similar to the previous one.
"It's a javascript context inside an HTML attribute context. And the escaping was for the HTML attribute - NOT the javascript. So the javascript would run as if there was no escaping", I said.
"That's exactly right", David said. "Good, let's move on."
Go back to: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, Part 9, Part 10
