i recently found out XSS is a big thread to my site. I have

Question

0

Asked: June 9, 20262026-06-09T20:02:01+00:00 2026-06-09T20:02:01+00:00

i recently found out XSS is a big thread to my site. I have

0

i recently found out XSS is a big thread to my site. I have set up several measures to prevent that like filtering user input , stripping out anything relates to javascript

But i recently found out that javascript can be encoded into hex code can be used in html img code,
i tried to make it myself, i found this on a XSS prevention site:

<img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69 &#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27 &#x58&#x53&#x53&#x27&#x29>

This code is javascript:

javascript:alert('XSS');

the problem is , this code is not working properly, i cant test it out to see if this kind of stuff really works.

here’s the js fiddle:
http://jsfiddle.net/CCgT3/

The problem is it should be outputted as

<img src="javascript:alert('XSS')">

But the fiddle show something like this(firebug):

<img &#x58&#x53&#x53&#x27&#x29="" &#x70&#x74&#x3a&#x61&#x6c&#x65&#x72&#x74&#x28&#x27="" src="javascri">

Is there something wrong with the hex?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-09T20:02:02+00:00

Editorial Team

2026-06-09T20:02:02+00:00Added an answer on June 9, 2026 at 8:02 pm

Try to remove the spaces in the src attribute:

<img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Then it should work.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

i recently found out XSS is a big thread to my site. I have

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply