1

I have a website with the following code:

<input class="Header--search--form-input" name="search" value="&quot; onfocus=&quot;alert(1)&quot; autofocus=&quot;" placeholder="put request" >

When I try to put XSS in it, the code turns into text. Do you have any ideas about how to deceive it?

Improve this question
5
  • 2
    so to clarify, you have some way of injecting html to be rendered into the value= attribute of the text field, but it's being html escaped (eg. " converted to &quot etc)? you need to provide more infomation, eg. about the web server or app, etc. and even then, the answer will probably be: "it's not possible"
    – brynk
    CommentedJul 16, 2024 at 10:48
  • 1
    Like what @brynk is asking, could we please have some clarification? Thanks.
    – security_paranoid
    CommentedJul 16, 2024 at 11:11
  • @brynk i dont think that it converted to something, its just converted into text. I putted following request: " onalert=alert("xss") data=" and that i got: <input class="Header--search--form-input" name="search" value="&quot; onalert=alert(&quot;xss&quot;) data=&quot;" placeholder="Введите запрос">
    – Уканис Алексей
    CommentedJul 16, 2024 at 18:36
  • like in answer there are no &quot; it just "
    – Уканис Алексей
    CommentedJul 16, 2024 at 18:40
  • 1
    oooh i think i got it.
    – Уканис Алексей
    CommentedJul 16, 2024 at 18:41

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.