This article is a part of our Web Security Knowledge Base (back to index)
Why User Controllable HTML Element Attribute (Potential XSS) can be dangerous
The alert looks for GET and POST requests that are capable of injecting attribute values into resulting HTML.
How to fix User Controllable HTML Element Attribute (Potential XSS)
Otherwise the application code should be modified to:
Allow HTML parts injection only where needed.
Sanitize input attribute values according to the specific use case and technology, find more information: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
How does ScanRepeat report User Controllable HTML Element Attribute (Potential XSS)
This problem is reported with a complete example of a HTTP request with an attribute list that resulted in injecting an attribute value into the resulting HTML page code.
Would you like to test your application now against this problem? Sign up for our free trialScan Your Web App Now