search

leizongmin / js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
http://jsxss.com
Other
5.16k stars 633 forks source link

Escaping attribute does not work sufficient #267

Open djschilling opened 1 year ago

djschilling commented 1 year ago

I have the following Code:

const userInput = 'https://heise.de" onmouseover="alert(document.cookie)"';
const html = '<a href="' + xss(userInput) + '">link</a>';

the output of html is the following: '<a href="https://heise.de" onmouseover="alert(document.cookie)"">link</a>'

This leads to an xss Attack. Is this a general problem with this library or am i using it wrong?

djschilling commented 1 year ago

I figured it out. Using escapeAttrValue is the correct function for this case.