User Controllable JavaScript Event (XSS)

Remediation

1. Input validation: Implement strict input validation for all user-supplied data, especially for HTML attribute values.
2. Output encoding: Properly encode all user data before inserting into HTML attributes, particularly JavaScript event handlers.
3. Content Security Policy: Implement CSP headers to prevent execution of inline scripts and restrict script sources.
4. Avoid user input in events: Never allow user input to directly control JavaScript event handler content.
5. Use secure frameworks: Utilize web frameworks with built-in XSS protection and automatic encoding.

About

User controllable JavaScript events occur when applications allow user input to influence HTML attribute values, particularly JavaScript event handlers like onclick, onload, or onmouseover. This creates potential XSS attack vectors where malicious scripts can be injected through these controllable attributes.

Risks

High User controllable JavaScript events can lead to Cross-Site Scripting (XSS) attacks, enabling session hijacking, credential theft, malicious redirects, and complete compromise of user interactions with the application.