I’m sure that the answer to this question is No, but I can’t seem

Question

0

Asked: May 21, 20262026-05-21T11:14:17+00:00 2026-05-21T11:14:17+00:00

I’m sure that the answer to this question is No, but I can’t seem

0

I’m sure that the answer to this question is No, but I can’t seem to find a way that simply transforming < and > to < and > doesn’t completely block reflected and persistent XSS.

I’m not talking about CSRF.

If this doesn’t block XSS, can you provide an example of how to bypass this defence?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-21T11:14:18+00:00

Editorial Team

2026-05-21T11:14:18+00:00Added an answer on May 21, 2026 at 11:14 am

When using an untrusted string in an attribute (quoted with ") you need to escape " as &quot.

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m sure that the answer to this question is No, but I can’t seem

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply