XSS without HTML tags

Question

It is possible to do a XSS attack if my input does not allow < and > characters?

Example: I enter <script>alert('this');</script> text

But it if I delete < and > the script is not text:

I enter script alert('this'); script text

Answer 1

Yes, it could still be possible.

e.g. Say your site injects user input into the following location

<img src="http://example.com/img.jpg" alt="USER-INPUT" />

If USER-INPUT is " ONLOAD="alert('xss'), this will render

<img src="http://example.com/img.jpg" alt="" ONLOAD="alert('xss')" />

No angle brackets necessary.

Also, check out OWASP XSS Experimental Minimal Encoding Rules.

For HTML body:

HTML Entity encode < &

specify charset in metatag to avoid UTF7 XSS

For XHTML body:

HTML Entity encode < & >

limit input to charset http://www.w3.org/TR/2008/REC-xml-20081126/#charsets

So within the body you can get away with only encoding (or removing) a subset of the characters usually recommended to prevent XSS. However, you cannot do this within attributes - the full XSS (Cross Site Scripting) Prevention Cheat Sheet recommends the following, and they do not have a minimal alternative:

Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value)

The is mainly though to cover the three types of ways of specifying the attribute value:

• Unquoted
• Single quoted
• Double quoted

Encoding in such a way will prevent XSS in attribute values in all three cases.

Also be wary that UTF-7 attacks do not need angle bracket characters. However, unless the charset is explicitly set to UTF-7, this type of attack isn't possible in modern browsers.

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

Also beware of attributes that allow URLs like href and ensure any user input is a valid web URL. Using a reputable library to validate the URL is highly recommended using an allow-list approach (e.g. if protocol not HTTPS then reject). Attempting to block sequences like javascript: is not sufficient.

Answer 2

If the user-supplied input is printed inside an HTML attribute, you also need to escape quotation marks or you would be vulnerable inputs like this:

" onload="javascript-code" foobar="

You should also escape the ampersand character as it generally needs to be encoded inside HTML documents and might otherwise destroy your layout.

So you should take care of the following characters: < > & ' "

You should however not completely strip them but replace them with the correct HTML codes i.e. &lt; &gt; &amp; &quot; &#x27;