在这种情况下可以使用XSS吗？

Question

I'm not really good with security...So just wondering if in the event i was using lightbox 2.6.1 and i had

Edit: Example shows static, but in reality this google.com link comes from a mySQL DB which i have populated with links that goes along with the images (IE when users upload their image they key in a Image Link Source) so the Google.com is replace with that.

<a href="uploads/image.jpg" data-lightbox="example-set" title="&lt;a target='_self' href='http://www.google.com'&gt;Google&lt;/a&gt;">
<img src="uploads/image.jpg" alt="" />
        </a>

Would it be possible to execute a XSS or any form of dangerous javascript? I'm asking because i'm hesitant about this part.

title="<a target='_self' href='http://www.google.com'>Google</a>"

Answer 1

The answer is "probably". It appears that HTML is being embedded within a " title " attribute of a HREF so make sure that you cannot break out of either

1. The title tag.
2. The embedded href tag

It all depends on what encoding you are using to insert values there but it may be tricky to ensure you are safe using encoding alone as you will also make sure that it is not possible to insert javascript: URLs.

Is there any validation you can perform on the URLs before they are inserted into your database? eg that the filename only contains alphanumeric characters and one dot before the extension.

See here for more info on preventing XSS: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet