pwneglyph logo

Note

web javascript xss sanitizer-bypass event-handlers case-insensitive

Bypass blacklists that miss mixed-case event handlers, since HTML attribute names are case-insensitive in the browser.

Weak HTML Sanitizer / Case-Insensitive Event Handlers

HTML attribute names are case-insensitive in the browser. Sanitizers that blacklist lowercase onerror but do not normalize Onerror or ONERROR are not actually removing the event handler.

Why It Works

  • The defense compares exact lowercase strings while the browser accepts any casing.

Vulnerable Pattern

  • Regex-based sanitization, ad-hoc uppercase-insensitive misses, or allowlists inspecting only exact lowercase attribute names.

Exploit Flow

  1. Replay the same payload family with mixed-case event handlers and attribute names.
  2. If classic tags are filtered, try custom elements or media tags whose event behavior differs from the assumed model.

Variations

  • Src, Onerror, oNLoAd, SVG attributes, or namespace-like forms.

Common Blockers

  • Proper parser-based sanitizers that normalize attribute names before policy checks.

PoC Sketch

<img Src=x Onerror=alert(1)>
<video src=1 ONERROR=alert(1)>

Good Situations To Use It

  • Sanitization is regex/blacklist based.
  • Lowercase handlers are blocked but casing isn't normalized.
  • You can inject raw tags.

Sources

  • labossi_2026/web/trusted_support_v2