|Name ||Cross-Site Scripting in Attributes |
|Summary ||The attacker inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities. |
|Prerequisites ||The target application must fail to adequately sanitize HTML attributes against the presence of dangerous commands. |
|Solutions ||Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and white list all input including that which is not expected to have any scripting content.
Implementation: The victim should configure the browser to minimize active content from untrusted sources. |
|CWE ID ||Description |
|CWE-79 ||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|CWE-83 ||Improper Neutralization of Script in Attributes in a Web Page |