0

I've got div on my page with id attribute with escaped HTML for example:

<div class="myDiv" id="&lt;script&gt;alert(1)&lt;/script&gt;></div>

Can I with JavaScript and JQuery take the value of this attribute as it is coded? Using just $('.myDiv').attr('id) im just getting <script>alert(1)</script> and I have to know if this HTML has already been escaped :O

Just need to get this attribute in JS as &lt;script&gt;alert(1)&lt;/script&gt;

https://i.stack.imgur.com/vXmVK.png

Karol Skwierawski
  • 1
  • 1

1 Answers1

0

You might consider something safer. You must also wrap it properly. Your example is missing a closing Quote.

<div class="myDiv" id="myDiv-1" data-script="alert(1)"></div>

You could also do it this way.

<div class="myDiv" id="myDiv-1" data-script="&lt;script&gt;alert(1)&lt;/script&gt;"></div>

Again this is not good practice. You may want to consider another method.

Twisty
  • 30,304
  • 2
  • 26
  • 45
  • There is sometimes html escaping on backend side before this value is rendered on frontend side, and after render jquery is taking this value and renders tooltip with this value but there is no escaped html so i've got XSS problem here :D But i also can't escape this value on frontend side becouse this tooltip component according to the documentation can accept HTML :( So thats why i need to catch this attribute value with escaped html (if it was escaped on backend) – Karol Skwierawski Nov 07 '22 at 22:46