Event-handler attribute injection
Check whether on* attributes such as img onerror or details ontoggle survive rendering and execute.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Verify that on* attributes such as onerror, onclick, and onload are removed
- Check that an attribute allowlist is not looser than the tag allowlist
- Verify that CSP blocks inline event handlers
Payload
Payload to copy
A classic HTML attribute XSS using an image load failure event.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- Stripping
<script>is not enough. Event-handler attributes such asonerror,onclick, andonloadcan still execute scripts. - Maintain an attribute allowlist alongside the tag allowlist, and prefer dropping all
on*attributes by default. - Confirm that your CSP also blocks inline event handlers.