Test code for XSS protecting

I am looking for some test code for a Quill Editor to see what is built into their code to prevent scripting. For example, if I insert this into my database, shouldn’t this be clickable once it’s drawn to the page to view:

<a href="#" onclick="javascript:alert(`XSS`);return false;">XSS</a>

or shouldn’t this pop open an alert:

<img src="http://www.abcdesfasf.com/a.jpg" onerror="alert(1)" />

<script>alert(1)</script>

Any examples or help would be appreciated.  Thank you.

How is it being written to the page?
You would generally escape characters when writing to the page.
For example in PHP you may do: echo htmlspecialchars($someString);
The result is something like:-

&lt;a href="#" onclick="javascript:alert(`XSS`);return false;"&gt;XSS&lt;/a&gt;

…when you “view source”, which is harmless, though it will display in the browser as you have it.

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.