User Controllable HTML Element Attribute (Potential XSS)

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

User-controlled HTML attributes can be exploited for cross-site scripting even when the input does not directly appear in script tags. Attackers can inject malicious payloads into attributes like href, src, or data attributes that execute JavaScript when triggered. For example, injecting javascript: URLs into href attributes or manipulating attributes that feed into client-side frameworks can lead to code execution in the victim’s browser, enabling session hijacking, credential theft, or malware distribution.

Validate all input and sanitize output it before writing to any HTML attributes.