HTML Attribute Injection

Medium+100 XPA03:2021 InjectionCWE-79

XSSHTML AttributeOutput Encoding

Scenario

Your application dynamically builds HTML attributes from user-supplied values, for example: <input value="{userValue}">.

The current escapeAttribute function only escapes < and >, leaving the double-quote character unescaped.

An attacker can supply a value like "> to break out of the attribute context and inject arbitrary JavaScript.

Attribute injection is one of the most exploited XSS vectors. A single unescaped quote or double-quote in an attribute value can allow an attacker to inject event handlers or entirely new HTML elements.

Your Tasks

Fix escapeAttribute so it escapes all five dangerous HTML characters.
Escape in order: & → &, < → <, > → >, " → ", ' → '.
Return the escaped string — do not throw.

Examples

Example 1 — Attribute breakout (bug)

escapeAttribute('">')
// returns '">'
// <input value=""> → attribute broken!

Example 2 — Safely escaped (fix)

escapeAttribute('">')
// returns '&quot;&gt;'

Constraints

›Escape & first to avoid double-escaping.
›Both single and double quotes must be escaped.
›Plain text with no special characters must be returned unchanged.

Hint

References

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html https://owasp.org/www-project-top-ten/2021/A03_2021-Injection https://html.spec.whatwg.org/multipage/syntax.html#attributes-2

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run