Hi Andy, Can you clarify which version of the XSS bundle you are using?
I tried this in the 2.3.x XSS codebase. When I plug your string into the XSSAPIImplTest#dataForEncodeToHtmlAttr <https://github.com/apache/sling-org-apache-sling-xss/blob/7a9ed4c18cfacaa3a270ba0bc286b7d5e67cb00e/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java#L292> test data I get the following as the output: /content/dam/test-folder/"><img src=x onerror=alert(document.cookie)>.html Regards, Eric On Wed, Oct 5, 2022 at 10:00 AM Andreas Schaefer <[email protected]> wrote: > Hi > > When I use XSSAPI.encodeForHTMLAttr() with this value: > > /content/dam/test-folder/"><img src=x onerror=alert(document.cookie)>.html > > The resulting html tag will be closed on the <img> tag is injected. > > I would assume that a method like this will not allow the HTML Attribute > to be closed let alone to close the tag altogether. > > Is there a way to fix that within the Sling XSS suite ? > Is that a shortcoming / bug ? > > Thanks - Andy
