libinjection-go icon indicating copy to clipboard operation
libinjection-go copied to clipboard
verified publisher icon corazawaf

False Negatives in XSS Detection on Event Handler Attributes

Open arminabf opened this issue 3 months ago • 3 comments

The libinjection.IsXSS() function fails to detect certain HTML5 event handler attributes as XSS vectors.

Environment:

  • libinjection-go latest version
  • Go 1.24.7
package main

import (
  "fmt"

  "github.com/corazawaf/libinjection-go"
)

func main() {
  events := []string{
    "onauxclick",
    "onpagereveal",
    "onpageswap",
    "onscrollsnapchange",
    "onscrollsnapchanging",
    "onwebkitwillrevealbottom",
  }

  for i, event := range events {
    payload := fmt.Sprintf("<tag %s=alert(1)>", event)
    fmt.Printf("result %d (%s): %v\n", i, event, libinjection.IsXSS(payload))
  }
}

Results:

result 0 (onauxclick): false
result 1 (onpagereveal): false
result 2 (onpageswap): false
result 3 (onscrollsnapchange): false
result 4 (onscrollsnapchanging): false
result 5 (onwebkitwillrevealbottom): false

arminabf avatar Oct 14 '25 15:10 arminabf

We'll look into it, I just assigned Copilot to test this feature

jptosso avatar Oct 14 '25 15:10 jptosso

@fzipi @jcchavezs @M4tteoP what is our posture around experimental html features from different browsers? I think if we are going to add a few, we should add them all

jptosso avatar Oct 14 '25 15:10 jptosso

I've been trying to push this one for the upstream C module for a while: https://github.com/libinjection/libinjection/pull/57/files

fzipi avatar Oct 14 '25 16:10 fzipi