User Controllable JavaScript Event (XSS)

This check looks at user-supplied input in query string parameters and POST data to identify where JavaScript event handler attributes (onclick, onload, onerror, onmouseover, etc.) might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

JavaScript event handlers (onclick, onerror, onload, etc.) provide direct execution contexts where attackers can inject arbitrary code without needing script tags or evasion techniques. When user input flows into these attributes, an attacker can craft payloads that execute when the event triggers, such as a mouse movement or image load failure. This allows immediate script execution in the victim’s browser, bypassing many XSS filters that focus on detecting script tags rather than event handler injection.

Validate all input and sanitize output it before writing to any Javascript on* events.