XSS inside anchor tag (<a>) without user interaction?

You can force the user interaction with CSS, by making the a element an fixed positioned block element with a large size and z-index.

<a style="display: block; position: fixed; top: 0; left: 0; z-index: 99999; width: 9999px; height: 9999px;" onmouseover="alert('xss')">


Yes, that's possible.

The onfocus and autofocus trick does not work in tag (correct me if I'm wrong).

Correct, the autofocus attribute doesn't exist for <a> tags. But instead, you can take advantage of anchor names to still achieve the autofocus effect.

E.g., create a document with this link:

<a href="#" onfocus="alert('Gimme bounty!')" name="foo">Click me</a>

Now open the document as https://example.com/anchor.html#foo. The anchor #foo will make the browser autofocus the link element with the name foo and trigger the JS payload.

(This works for me in Google Chrome but not Firefox.)