HTML-Encoded Attribute Escape

Checks for any escaping from the img tag attribute from encoded input without using double quotes

Created on: Saturday, July 13, 2024 at 4:56:45 PM

Updated on: Thursday, November 21, 2024 at 7:58:39 AM

Vector type: XSS

Vector charset: UTF-8

<img src="/image.png" tag="html($[chr])><iframe><!--">

if (document.querySelector('iframe')) {
    log($[chr]);
}