<img class="avatar" src="MY INPUT SPACE">
I am trying to bypass an XSS filter but it is not working since given <, > are filtered. I feel like it I could break it since only these two characters are filtered but I just couldn't find a way to do it, any suggestion on this?
The general advice (to inject an event handler in the image tag) from @MarkBuffalo in the comment is correct, but onload isn't a great choice of event handler for images. The better option is usually onerror, which is very easy to reliably trigger; just set the source to be something you know won't exist (or at least won't be an image), like src="qq" onerror="alert('XSS!')".
The specific exception I like is SVG tags, where <svg onload="…" /> is a nice short string (as short as <script>…</script>, and usable in places that try stupid tricks like filtering <script>).
onload a good choice for images? It works for me pretty much every time. However, stuff like buttons, or other elements, sure.
– Mark Buffalo
Apr 15 '18 at 06:40
style="display:none" to hide it or set another background-image so it looks normal afterwards
– rubo77
Jun 03 '20 at 21:04
<img class="avatar" src="imghere.jpg" onload="javascript:alert('lol');"/>. So, inputimghere.jpg" onload="javascript:alert('lol');? – Mark Buffalo Apr 15 '18 at 02:37srcattribute? – Mark Buffalo Apr 15 '18 at 06:40