Event Based Cross Site Scripting Attack

I recently ran into a devious XSS attack, based on the onerror event. It can be done by exploiting other events as well, but the onerror event works particularly well, because the JavaScript is executed right as the node is rendered or appended to the page. Here is the attack:

<img onerror=alert(x); src=f

Then when the user content is appended or rendered in the page, the JavaScript executes. Replacing the alert statement with a malicious script, such as reading or changing cookies, is how the attack works. When the img element is rendered it throws the onerror event in browsers that support it, because the markup is incomplete. The especially tricky thing about this attack is most of HTML removal regular expressions used to sanitize parameters wont catch this attack, because there is no closing tag.

To ensure you are not susceptible to this attack, always ensure you are escaping HTML entities before writing to the database, and then do not unescaping them before appending text to the document.

For more information about all cross site scripting attacks, see http://ha.ckers.org/xss.html.