Hi is this correct
<a href="#" style="color:#FFF;"onclick="add('alert("Google !")');" id="cricket" tabindex="1" name="cricket">cricket</a>
views:
46answers:
2
+1
A:
No.
onclick="add('alert("
You don't have a complete JavaScript statement inside your attribute value.
Some authors use the character entity reference "
"" to encode instances of the double quote mark (") since that character may be used to delimit attribute values.
— http://www.w3.org/TR/html4/charset.html#h-5.3
(And as an aside:
- Don't use href="#", build on stuff that works
- Don't use the style attribute, separate presentation and content
- Don't forget to put spaces between your attributes
- Don't use intrinsic event attributes (such as onclick), use unobtrusive JS (which would also solve the problem of the nested quotes)
- Where possible, avoid tabindex in favour of a sensible natural tab order )
David Dorward
2010-07-12 05:49:11
+1
A:
onclick="add('alert("Google !")');" is being parsed as:
onclick # attribute name
=
"add('alert(" # string
Google ! # random garbage
")');" # another string
You'll have to escape the inner quotes, otherwise they terminate the string:
onclick="add('alert("Google !")');"
Beyond that, it depends on what add() does.
deceze
2010-07-12 05:50:49
I don't think backslashes work like that in HTML. I've been able to find XSS holes in websites because they use `addslashes` there, where it really doesn't apply.
Matchu
2010-07-12 05:51:51
@Matchu Long fixed. Working too little with HTML lately... ;)
deceze
2010-07-12 05:54:09
Nice :) Answer revoked in favor of clearer explanation.
Matchu
2010-07-12 05:55:27