Update: [XSS Filter Evasion Cheat Sheet] #1395
Labels
ACK_WAITING
Issue waiting acknowledgement from core team before to start the work to fix it.
HELP_WANTED
Issue for which help is wanted to do the job.
UPDATE_CS
Issue about the update/refactoring of a existing cheat sheet.
What is missing or needs to be updated?
Modern browsers generally ignore
javascript:
in<img>
src
attributes. Most of the examples listed which would execute javascript within an<img>
src
attribute no longer work, and may provide a false sense of security to development teams who are attempting to mitigate XSS while ignoring the examples which utilize<img src>
.However, the advice is still good, and almost entirely applicable if the examples are updated to
<a>
andhref
, instead.How should this be resolved?
Update any example in the cheatsheet which relies on the execution of javascript in the
src
attribute of an<img>
tag to use<a>
andhref
.The text was updated successfully, but these errors were encountered: