Skip to content

Bug: DOM-Based XSS in Open Graph Inspector via Unescaped Quotes #352

Description

@devprashant19

Affected Tool or Page

Open Graph Inspector (tools/open-graph-inspector.html)

Bug Description

The HTML escaping helper escHtml inside tools/open-graph-inspector.html uses div.textContent and div.innerHTML to escape HTML text nodes. This correctly escapes < and >, but it does not escape double quotes (") or single quotes (') because they are valid plain text inside HTML text nodes.

Since the returned values are interpolated directly into double-quoted HTML attributes:

<img class="img-preview" id="ogImagePreview" src="${escHtml(previewImage)}" ...>

An attacker can supply a metadata URL or string containing a double quote (e.g. https://example.com/image.jpg" onerror="alert(document.domain)) to break out of the attribute container and inject arbitrary attributes/event handlers.

Steps to Reproduce

  1. Open the Open Graph Inspector tool (tools/open-graph-inspector.html).
  2. Select "Paste HTML" mode.
  3. Paste the following snippet:
    <meta property="og:image" content='https://example.com/image.jpg" onerror="alert(document.domain)' />
  4. Click the "Analyze" button.
  5. See the XSS payload execute (alert(document.domain) is fired).

Expected Behavior

Double and single quotes inside metadata attributes should be properly escaped (to &quot; and &#039;), preventing attribute breakout when rendered inside attribute quotes.

Actual Behavior

The quotes remain unescaped, leading to attribute breakout and script execution.

Environment

Any modern browser (Chrome, Firefox, Safari, Edge), any OS.

Screenshots

No response

Pre-submission Checklist

  • I have checked existing issues for duplicates.
  • I have tested this in at least one modern browser.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions