--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<IMG SRC="javascript:alert('XSS')<pre class="moz-signature" cols="72">is a single tag that is equivalent to<img src="javascript:alert('XSS') <pre class=" cols="72">Notice that there is no closing double quote nor a closing '>' after javascript:alert('XSS').
On Wednesday, February 7, 2018 at 7:32:07 PM UTC+5:30, Mike Samuel wrote:<IMG SRC="javascript:alert('XSS')<pre class="moz-signature" cols="72">is a single tag that is equivalent to<img src="javascript:alert('XSS') <pre class=" cols="72">Notice that there is no closing double quote nor a closing '>' after javascript:alert('XSS').In that case the out put should be <img /> but the output is <img class="moz-signature" /> the class attribute is identified. moreover <pre> is a valid html element why its not identified by the sanitizer.