Affected Tool or Page
Open Graph Inspector (tools/open-graph-inspector.html)
Bug Description
The HTML escaping helper escHtml inside tools/open-graph-inspector.html uses div.textContent and div.innerHTML to escape HTML text nodes. This correctly escapes < and >, but it does not escape double quotes (") or single quotes (') because they are valid plain text inside HTML text nodes.
Since the returned values are interpolated directly into double-quoted HTML attributes:
<img class="img-preview" id="ogImagePreview" src="${escHtml(previewImage)}" ...>
An attacker can supply a metadata URL or string containing a double quote (e.g. https://example.com/image.jpg" onerror="alert(document.domain)) to break out of the attribute container and inject arbitrary attributes/event handlers.
Steps to Reproduce
- Open the Open Graph Inspector tool (
tools/open-graph-inspector.html).
- Select "Paste HTML" mode.
- Paste the following snippet:
<meta property="og:image" content='https://example.com/image.jpg" onerror="alert(document.domain)' />
- Click the "Analyze" button.
- See the XSS payload execute (
alert(document.domain) is fired).
Expected Behavior
Double and single quotes inside metadata attributes should be properly escaped (to " and '), preventing attribute breakout when rendered inside attribute quotes.
Actual Behavior
The quotes remain unescaped, leading to attribute breakout and script execution.
Environment
Any modern browser (Chrome, Firefox, Safari, Edge), any OS.
Screenshots
No response
Pre-submission Checklist
Affected Tool or Page
Open Graph Inspector (
tools/open-graph-inspector.html)Bug Description
The HTML escaping helper
escHtmlinsidetools/open-graph-inspector.htmlusesdiv.textContentanddiv.innerHTMLto escape HTML text nodes. This correctly escapes<and>, but it does not escape double quotes (") or single quotes (') because they are valid plain text inside HTML text nodes.Since the returned values are interpolated directly into double-quoted HTML attributes:
An attacker can supply a metadata URL or string containing a double quote (e.g.
https://example.com/image.jpg" onerror="alert(document.domain)) to break out of the attribute container and inject arbitrary attributes/event handlers.Steps to Reproduce
tools/open-graph-inspector.html).alert(document.domain)is fired).Expected Behavior
Double and single quotes inside metadata attributes should be properly escaped (to
"and'), preventing attribute breakout when rendered inside attribute quotes.Actual Behavior
The quotes remain unescaped, leading to attribute breakout and script execution.
Environment
Any modern browser (Chrome, Firefox, Safari, Edge), any OS.
Screenshots
No response
Pre-submission Checklist