Brave Search

Exploiting XSS in jQuery without equal character?

security.stackexchange.com › questions › 183245 › exploiting-xss-in-jquery-without-equal-character

I think it is safe to say at this point that there is no trivial/text-book bypass for this filter using a modern browser. I shared this snippet of code with a group of friends and colleagues who I consider proficient in XSS and none of them could construct a bypass.

Answer from EdOverflow on Stack Exchange

PortSwigger

portswigger.net › web-security › cross-site-scripting › dom-based

What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security Academy

When the iframe is loaded, an XSS vector is appended to the hash, causing the hashchange event to fire. Even newer versions of jQuery can still be vulnerable via the $() selector sink, provided you have full control over its input from a source ...

GitHub

github.com › cve-sandbox › jquery

GitHub - cve-sandbox/jquery: CVE Collection of jQuery XSS Payloads · GitHub

CVE Collection of jQuery XSS Payloads. Contribute to cve-sandbox/jquery development by creating an account on GitHub.

Starred by 75 users

Forked by 11 users

Languages HTML

Videos

02:46

YouTube

DOM XSS in jQuery anchor href attribute sink using location search ...

HackerKast Episode 10 - XSS Vulnerability in jQuery, Let's Encrypt, ...

DOM XSS in jQuery Selector Sink - YouTube

DOM XSS in jQuery Selector Sink using a Hashchange Event - YouTube

January 23, 2023

10:47

YouTube

XSS - Exploiting Vulnerable JQuery Sink - YouTube

exploit-db.com › exploits › 52141

jQuery 3.3.1 - Prototype Pollution & XSS Exploit - Multiple webapps Exploit

April 8, 2025 - Load vulnerable jQuery (version 3.3.1) const script = document.createElement('script'); script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"; document.head.appendChild(script); // 2. Function to execute after jQuery is loaded script.onload = function() { console.log("[+] Vulnerable jQuery loaded!"); // 3. Inject malicious content for XSS (CVE-2020-7656) const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script> $('body').append(maliciousContent); console.log("[+] XSS payload (CVE-2020-7656) injected.

TrustedSec

trustedsec.com › home › blog › everything you need to know about jquery and its vulnerabilities

TrustedSec | Everything You Need to Know About jQuery and its…

March 19, 2025 - As an example, the following code would be exploitable if the input value contained an XSS payload. ... Result: The XSS in the username value is added to the page HTML. Another function that can add unmodified HTML to the page is the load() function. load() - Loads data from a server and puts the returned data into the selected element ... redirect = .search if(redirect.indexOf("?redirect=")>=0){ path=redirect.split("redirect=")[1] $('body').load(path) } Another way to execute XSS in jQuery is though the selector engine.

Price $

Address 3485 Southwestern Boulevard, 44333, Fairlawn

GitHub

github.com › EdOverflow › bugbounty-cheatsheet › blob › master › cheatsheets › xss.md

bugbounty-cheatsheet/cheatsheets/xss.md at master · EdOverflow/bugbounty-cheatsheet

A list of interesting payloads, tips and tricks for bug bounty hunters. - bugbounty-cheatsheet/cheatsheets/xss.md at master · EdOverflow/bugbounty-cheatsheet

Author EdOverflow

xss.js.org

xss payloads collect

A magical documentation generator.

Stack Exchange

security.stackexchange.com › questions › 183245 › exploiting-xss-in-jquery-without-equal-character

attacks - Exploiting XSS in jQuery without equal character? - Information Security Stack Exchange

Top answer

1 of 4

Contrary to what is being said in the accepted answer, jQuery.html() and the many jQuery functions which accept HTML strings as arguments are more prone to DOM-based XSS injection than innerHTML, as noticed by the OP.

jQuery.html() extracts the <script> tags, updates the DOM and evaluates the code embedded in the script tags.

As a result, XSS can happen without user interaction even after the DOM is loaded when using jQuery.html().

This is very easy to demonstrate.

This will call alert():

$('.xss').html('<script>alert("XSS");</script\>');

http://jsfiddle.net/2TpHC/

While this will not:

var d = document.getElementById('xss');
d.innerHTML = '<script\>alert("XSS");</script\>';

http://jsfiddle.net/Tjspu/

Unfortunately, there are many other code paths (sinks) which lead to calling eval() in jQuery. The security conscious will probably avoid jQuery altogether, as far as possible.

Note that I do not claim that using innerHTML is an effective defense against XSS. It is not. Passing unescaped data to innerHTML is not safe, as pointed out by @daghan. One should always properly escape data when generating HTML.

2 of 4

JQuery strips out the script tags, which is why you aren't seeing it append to the dom let alone executing.

To see an explanation of why jquery strips it out, you can see John Resig's reply here: https://forum.jquery.com/topic/jquery-dommanip-script-tag-will-be-removed

Hope this helps

Medium

bayefran.medium.com › xss-dom-xss-in-jquery-selector-sink-using-a-hashchange-event-17d23417675b

XSS — DOM XSS in jQuery selector sink using a hashchange event | by efran | Medium

August 7, 2023 - I was able to trigger XSS with https://lab-id.web-security-academy.net#<img src=x onerror=alert(1)> Now, let’s load the same page inside an iframe and deliver it to the victim to trigger XSS. The payload should trigger an alert since the jquery selector $() will first try to select (find) the item on the page and when it fails (the string does not exist in this example), it will add the element.

Undercode Testing

undercodetesting.com › home › mastering jquery-ui xss payloads: ethical hacking techniques

Mastering JQuery-UI XSS Payloads: Ethical Hacking Techniques - Undercode Testing

June 18, 2025 - Identify Target: Find a site using jQuery-UI (version < 1.13.0). Inject Payload: Insert the script in a tooltip-triggered element (e.g., `title` attribute). Trigger Execution: Hover over the element to execute the XSS.

Samuel Mortenson

mortenson.coffee › blog › promoting-jquery-json-jsonp-trigger-xss

Promoting jQuery JSON to JSONP to trigger XSS | Samuel Mortenson

November 20, 2020 - $.ajax("<payload>”, {dataType: "json"}) The answer was, surprisingly, yes. You can trigger XSS by only controlling the AJAX URL, or in some cases just the tail end of the URL, regardless of the caller. To explain this, let’s read the documentation for jQuery.ajax(): dataType (default: Intelligent Guess (xml, json, script, or html)) Type: String The type of data that you're expecting back from the server.

PortSwigger

portswigger.net › web-security › cross-site-scripting › cheat-sheet

Cross-Site Scripting (XSS) Cheat Sheet - 2026 Edition | Web Security Academy

This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters.

Snyk

security.snyk.io › snyk vulnerability database › npm

Cross-site Scripting (XSS) in jquery.terminal | CVE-2021-43862 | Snyk

jquery.terminal is a plugin for creating command line interpreters in your applications. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The code for XSS payload is always visible, but an attacker can use other ...

HackTricks

book.hacktricks.xyz › pentesting-web › xss-cross-site-scripting

XSS (Cross Site Scripting) | HackTricks

July 19, 2024 - From here: You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify ...

Stack Overflow

stackoverflow.com › questions › 62944833 › dom-xss-in-jquery-show-function

DOM XSS in Jquery show() function - Stack Overflow

July 16, 2020 - Our code scanner keeps marking above line as DOM based XSS. ... I have tried multiple payloads, but I am unable to execute an alert. is this a valid DOM vulnerability and what payload would I need to pass in item to exploit? ... The reason this is flagged is not show(). It's because $('#' + item + '-add') appends user input in a jquery selector.

GitHub

github.com › cve-sandbox › jquery-ui

GitHub - cve-sandbox/jquery-ui: CVE Collection of jQuery UI XSS Payloads · GitHub

CVE Collection of jQuery UI XSS Payloads . Contribute to cve-sandbox/jquery-ui development by creating an account on GitHub.

Starred by 120 users

Forked by 17 users

Languages HTML

Snyk

security.snyk.io › snyk vulnerability database › npm

Cross-site Scripting (XSS) in jquery | CVE-2020-7656 | Snyk

May 19, 2020 - jquery is a package that makes ... API that works across a multitude of browsers. Affected versions of this package are vulnerable to Cross-site Scripting (XSS)....

Hackviser

hackviser.com › cross-site scripting (xss)

Cross-Site Scripting (XSS) Attack Guide | Hackviser

Payload is executed through client-side JavaScript manipulation: # URL Fragment Exploitation #<img src=x onerror=alert(1)> # Targeting location.hash ?search=<img src=x onerror=alert(1)> # Targeting location.search # DOM Manipulation document.write('... USER_INPUT ...') # document.write injection element.innerHTML = '... USER_INPUT ...' # innerHTML injection $("#element").html('... USER_INPUT ...') # jQuery html() injection

Medium

medium.com › @diablo0x › lab-dom-xss-in-jquery-selector-sink-using-a-hashchange-event-1a63f5ffab6a

Lab: DOM XSS in jQuery selector sink using a hashchange event | by Mahmoud Salah | Medium

December 21, 2023 - a. First, check if your search term is reflected anywhere on the website. b. Second, try using characters that are commonly used in XSS payloads such as ( ‘“<>/ ) Observe if these characters undergo any changes in the response. If they remain unchanged, go to the next step.