CWE-83 Cross-Site Scripting in Attributes
What this means
SiteShadow flagged untrusted input flowing into HTML attributes or event handler contexts (e.g., href=, src=, on*=). Attribute contexts have different escaping rules than plain text.
Why it matters
Attribute injection can execute scripts or bypass sanitization.
- Attackers can inject
javascript:URLs or break out of attributes to run script. - It can bypass "sanitize HTML" approaches that don't handle attribute contexts correctly.
Safer examples
1) Don't construct attributes from untrusted strings
Prefer framework bindings that correctly encode attributes.
2) Allowlist URL schemes and hosts
const u = new URL(inputUrl, "https://example.com");
if (!["https:"].includes(u.protocol)) throw new Error("Invalid scheme");3) Avoid inline event handlers entirely
Never build onclick="..." from user input. Use addEventListener with safe data handling.
How SiteShadow detects it (high level)
- Detects assignment to attribute sinks (
setAttribute, template attribute interpolation, inline handler construction). - Flags when user-controlled values reach
href/src/style/on*without allowlists/encoding.
References
- CWE-83: https://cwe.mitre.org/data/definitions/83.html
---