How to XSS with a html tag filter?

Say your site injects user input into the following location

```<img src="http://example.com/img.jpg" alt="USER-INPUT" />```  

If USER-INPUT is “ ONLOAD="alert(‘xss’), this will render

```<img src="http://example.com/img.jpg" alt="" ONLOAD="alert('xss')" />```  

No angle brackets necessary.

Also, check out OWASP XSS Experimental Minimal Encoding Rules.

For HTML body:

HTML Entity encode < &

specify the charset in the meta tag to avoid UTF7 XSS

For XHTML body:

HTML Entity encode < & >

limit input to charset http://www.w3.org/TR/2008/REC-xml-20081126/#charsets

So within the body, you can get away with only encoding (or removing) a subset of the characters usually recommended preventing XSS. However, you cannot do this within attributes - the full XSS (Cross Site Scripting) Prevention Cheat Sheet_Prevention_Cheat_Sheet#Output_Encoding_Rules_Summary) recommends the following, and they do not have a minimal alternative:

Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value)

The is mainly through to cover the three types of ways of specifying the attribute value:

[list]
[] Unquoted
[] Single quoted
[*] Double quoted
[/list]

Encoding in such a way will prevent XSS in attribute values in all three cases.

Also be wary that UTF-7 attacks do not need angle bracket characters. However, unless the charset is explicitly set to UTF-7, this type of attack isn’t possible in modern browsers.

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-  

hey didix13

thanks for your reply

unfortunatelly those attacks don’t work, i already found this on google…

I pointed out, that there is a regex function, which clears all tags, and even an escape sequence like the blackslash in front of the “<” won’t work…

I think the regex function clears everything between the tag-brackets, but i’m not sure and i don’t know how to bypass this

No, no, I do not know it’s going that way

So yeah… let’s go through all these old threads to contribute nothing just for a stupid “medal”. Totally worth it and not annoying at all. Can’t wait for your next 1000 posts, @marco-D-badass**…

I do not mean I hurt you, I have free time so I think I’m here and interact with him better than social networking sites Yes I want to reach to end this site forever, so I have to get those medallions, such things as hacking games, sites points , Movies and music breakthrough make you rush in this area more dloser

It’s not about hurting me, it’s about spamming the forum with useless messages. It either means others have to go through all your messages to see if there is anything worthwhile, or just ignoring everything that has been posted recently, including actual questions. It’s good to interact, but perhaps stick to threads that are recent and only when you have something to add. Put your time in doing the challenges.

what fuck! omg :o
Hee I’m sorry I did not mean :‘( but this forum is weak .Thank you for alerting me, I’m working on real 4, Can I publish 10 in a day only? :| dloser

Also @marco-D-badass we have moderators who will delete off-topic or irrelevant message. It will way harder to get those so precious medals.

AS @dloser said, you, @marco-D-badass , should refrain from over-posting, or I’ll have to clean some threads because of you

If you want to interact with people, do it the right way ;)