Given is the following html fragment, which is statically typed in an html file:
<a id="link001" href="https://google.com" target="_blank">Google</a>
Please consider, that the attribute value of href is quoted. Is it possible to perform a XSS attack when the attacker can provide an arbitrary value for the variable unsafe_string in the following context:
$('#link001').attr("href", unsafe_string);
My question is: Is it possible to inject and execute malicious code? The attacker has only control of unsafe_string and nothing else. The attacker can assume that the victim will finally click the link.
The case, that a user can get forwarded to some malicious website by clicking the link should get neglected.
答案 0 :(得分:3)
是的,这是不安全的,您可以将javascript:放在恶意代码的前面:
$('#link001').attr("href", "javascript:alert('evil')");<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<a id="link001" href="https://google.com" target="_blank">Google</a>