XSS and Applet/Param HTML Keywords

Question

I have a Web application and have run a XSS scan on it and it reports that one of my pages that has a Java applet in it could potentially be open to XSS.

The test managed to assign a javascript alert box to the following HTML code:

<param name='id' value='' onMouseOver=alert(40041)>

My question is - Is this a valid test? Will doing any XSS javascript manipulation on Param objects cause any real world issue? I don't think a MouseOver on a param object will do anything.

Thanks

Answer 1

How did that text get there? If via unescaped value, then attacker could probably close the tag and add any other script.

There are also other handlers, like onload and onerror.

It's quite simple to protect against XSS like this, just change:

• & to &
• < to <,
• ' to &x39;
• and " to ".

and you won't have to worry what bad things could happen with hijacked <param>.