Reading this XSS cheat sheet, I noticed a special usage I have never seen:
<img src="/" =_=" title="onerror='prompt(1)'">
What does “=_=” mean? It’s below the sentence “On Mouse Over”.
Advertisement
Answer
It’s just an attribute on the element. It doesn’t have any meaning by itself, so it may be present simply as a red herring.
Prettified, the code is:
<img src="/" =_=" title=" onerror='prompt(1)'" >
In HTML, = in an attribute specifies the delimiter between the attribute name and the attribute value, so it’s:
=_=" title="
^^ attribute name
=_=" title="
^ delimiter between attribute name and attribute value
=_=" title="
^ attribute value contents delimiter
=_=" title="
^^^^^^^ attribute value
=_=" title="
^ attribute value contents delimiter
And you could retrieve the attribute value if you wanted.
const img = document.querySelector('img');
console.log(img.getAttribute('=_'));<img src="/" =_=" title=" onerror='prompt(1)'" >
Note that the attribute name is =_, not =_= – the final = is the delimiter, not part of the attribute name.
The “XSS” is caused only by the src and the onerror, not by anything else. Wherever you’re encountering this, the =_ probably doesn’t do anything at all. It could, but it probably doesn’t.
<img src="/" onerror='prompt(1)'">