search

rust-ammonia / ammonia

Repair and secure untrusted HTML
Apache License 2.0
524 stars 43 forks source link

The XSS payload example in doc is invalid #169

Closed rmb122 closed 2 years ago

rmb122 commented 2 years ago

The XSS payload example used in doc is <b><img src='' onerror='alert(\'hax\')'>I'm not trying to XSS you</b> is invalid, which won't popup hax in real browser. In HTML attribute, the backslash can't escape quote in string. It should use HTML escape like <b><img src='' onerror='alert(&#039;hax&#039;)'>I'm not trying to XSS you</b> or directly use <b><img src='' onerror=alert('hax')>I'm not trying to XSS you</b>.

lnicola commented 2 years ago

I think you're right, thanks. Do you want to file a PR for this?