XSS inside anchor tag (<a>) without user interaction?
You can force the user interaction with CSS, by making the a
element an fixed positioned block element with a large size and z-index.
<a style="display: block; position: fixed; top: 0; left: 0; z-index: 99999; width: 9999px; height: 9999px;" onmouseover="alert('xss')">
Yes, that's possible.
The
onfocus
andautofocus
trick does not work in tag (correct me if I'm wrong).
Correct, the autofocus
attribute doesn't exist for <a>
tags. But instead, you can take advantage of anchor names to still achieve the autofocus effect.
E.g., create a document with this link:
<a href="#" onfocus="alert('Gimme bounty!')" name="foo">Click me</a>
Now open the document as https://example.com/anchor.html#foo
. The anchor #foo
will make the browser autofocus the link element with the name foo
and trigger the JS payload.
(This works for me in Google Chrome but not Firefox.)