HTML-Encoded Attribute Escape

Checks for any escaping from the img tag attribute from encoded input without using double quotes

Created on: Saturday, July 13, 2024 at 4:56:45 PM

Updated on: Saturday, August 31, 2024 at 3:11:17 PM

Vector type: XSS

<img src="/image.png" tag="html($[chr])><iframe><!--">

if (document.querySelector('iframe')) {
    log($[chr]);
}