XSS via img tag, redundant semicolons?

Question

XSS via img tag, redundant semicolons?

I looked at the WebGoat exercises, and for one question, they are asking to create a JavaScript alert using the img tag.

Their solution is as follows:

<img src=x onerror=;;alert('XSS') />

After looking at their solution, I wonder why, before the actual warning, two (and not just one) half-rings are needed?

+4

javascript html security xss

Sonny ordell Jun 23 '11 at 15:53

source share

1 answer

rroche · Answer 1 · 2011-06-28T01:38:42+0000

Indeed, semicolons are not needed, I just tested the same tag with semicolons on FF5 and Chrome last, they both send warnings with this

 <img src=x onerror=;;alert('XSS') /> <img src=x onerror=alert('XSS') /> <img src="x" onerror="alert('XSS')" />

I think they are trying to stop the onerror event at the first semicolon, and then output the dummy code from the event in the warning

I tried this

 <img src=x onerror=alert('eventfire');;alert('XSS') />

and it includes both warnings inside the event, so it does not fire a second warning outside the event scope.

answer? seems to do the same without semicolons (maybe for older browsers that do not parse html well and trigger a warning outside the scope of the event?)

XSS via img tag, redundant semicolons?

More articles: