I recently ran into a devious XSS attack, based on the
onerror event. It can be done by exploiting other events as well, but the
<img onerror=alert(x); src=f
alert statement with a malicious script, such as reading or changing cookies, is how the attack works. When the
img element is rendered it throws the
onerror event in browsers that support it, because the markup is incomplete. The especially tricky thing about this attack is most of HTML removal regular expressions used to sanitize parameters won
t catch this attack, because there is no closing tag.
To ensure you are not susceptible to this attack, always ensure you are escaping HTML entities before writing to the database, and then do not unescaping them before appending text to the document.
For more information about all cross site scripting attacks, see http://ha.ckers.org/xss.html.