这是什么类型的 XSS 以及如何防止它

Question

Here is the code of example.com that I saved to my computer desktop as index.html:

<channel> <title>Comments on: Voor uw organisatie</title> <atom:link href="https://example.com/feed/" rel="self" type="application/rss+xml" /> <link>https://example.com</link> <description>PIM: Wie weet wat van mij?</description> <lastBuildDate>Mon, 17 Sep 2018 13:22:52 +0000</lastBuildDate> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <generator>https://wordpress.org/?v=4.9.3</generator> </channel> 

I opened that file in a text editor and changed

<generator>https://wordpress.org/?v=4.9.3</generator> 

to

<generator>"><img src="x" onerror="alert(document.cookie)"></generator> 

When I opened the modified HTML file in Firefox I get an alert box with cookies. I know it is XSS, because I am getting that XSS alert in my browser.

My question is why is this happening? Cause I didn't injected this code in a parameter. So how can developer fix this or sanitize this code?

Is there any impact of this?

Answer 1

Given a website run by Alice and visited by Bob, an XSS attack would occur when Mallory (an attacker) caused JavaScript to run in Alice's browser on Bob's website.

Alice editing an HTML document on her computer (even one copied from another website) so it runs JavaScript, and then loading that HTML document in her browser is not performing an XSS attack. She is just running JavaScript on a system she has complete control over.

Answer 2

This isn't XSS, this is broken HTML. The alert is a false positive.