False Negatives in XSS Detection on Event Handler Attributes

[arminabf]

The libinjection.IsXSS() function fails to detect certain HTML5 event handler attributes as XSS vectors.

Environment:

• libinjection-go latest version
• Go 1.24.7

package main

import (
  "fmt"

  "github.com/corazawaf/libinjection-go"
)

func main() {
  events := []string{
    "onauxclick",
    "onpagereveal",
    "onpageswap",
    "onscrollsnapchange",
    "onscrollsnapchanging",
    "onwebkitwillrevealbottom",
  }

  for i, event := range events {
    payload := fmt.Sprintf("<tag %s=alert(1)>", event)
    fmt.Printf("result %d (%s): %v\n", i, event, libinjection.IsXSS(payload))
  }
}

Results:

result 0 (onauxclick): false
result 1 (onpagereveal): false
result 2 (onpageswap): false
result 3 (onscrollsnapchange): false
result 4 (onscrollsnapchanging): false
result 5 (onwebkitwillrevealbottom): false

[jptosso]

We'll look into it, I just assigned Copilot to test this feature

[jptosso]

@fzipi @jcchavezs @M4tteoP what is our posture around experimental html features from different browsers? I think if we are going to add a few, we should add them all

[fzipi]

I've been trying to push this one for the upstream C module for a while: https://github.com/libinjection/libinjection/pull/57/files