Skip to content
Advertisement

Are there different types of HTML closing tags

Recently I came across this type of tag in an HTML: <x/ id="someId" onpointermove=alert`hello`>

This data was fetched from the server as a JSON and then written into the HTML view. The HTML view displays the data with no issues. However, on running the request that just fetches the data in a new tab, the Javascript code is running.

How is this code running?

I just know this type of self closing tag: <x id="someId" />. So, what is this different type of tag I encountered?

Also, is this another way of using the back tick?

I initially thought it was a type of string interpolation. But I could not find any reference to this particular type of code in it. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals

Advertisement

Answer

It’s deliberately incorrect HTML syntax – you can verify this by pasting it (with the necessary boilerplate, below) into the W3 HTML validator.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>a</title>
</head>
<body>
  <x/ id="someId" onpointermove=alert`hello`>
</body>
</html>

This gives several validation errors.

However, unlike XML, HTML is very forgiving. It’ll do its best to render something, even if what it’s given is very obviously wrong. There are complex rules about how it goes about doing this, but these days it’s almost always at least consistent between modern browsers (and if it’s not, that’s due to bugs, rather than differences of opinion between vendors).

In this case, what it renders actually resolves to the following outerHTML:

<x id="someId" onpointermove="alert`hello`">
</x>

Malformed syntax like this is often used to deliberately test the limits of XSS prevention, because XSS prevention might perceive it as “safe”, even though browsers will actually render something dangerous.

Of particular interest here is alert`hello` – backticks are another way of getting JavaScript to call functions, without using parentheses. This is due to how tagged template literals work. So an out-of-date or buggy XSS sanitizer might perceive alert`hello` as “safe” because it doesn’t contain any function calls (determined by absence of parentheses), yet actually it still executes alert.

User contributions licensed under: CC BY-SA
3 People found this is helpful
Advertisement