Any Idea to Trigger Execution of JavaScript in rel Tag


Hello Guys,

I have found an entry point that make me able to close the quotation mark then write a payload but my payload doesn’t pops up an alert window.

Let me explain with examples;
When I visit, the page contains <link rel=alternate href="" />

Using foo" onerror=alert() junk="x, page reflects <link rel=alternate href="" onerror=alert() junk="x"/> But in this case, no alert pop-up shows up.

I tried it on my machine by copying page source and saw that If I could change rel=alternate to rel=import , then alert popup would show up. Unfourtunately I can’t do that in the target site.

So any idea about ;

  • why the event is not being triggered with rel=alternate
  • what is the key difference between import and alternate here?
  • what type of payload triggers a JavaScript execution (XSS I mean) here?

PS: I am not able to use < , > or their URL encoded versions to close the tag and open up a script tag.

Thanks in advance

Link rel=canonical XSS exploitation

Hi @monochrome,

as you can read here, rel=alternate is an alternate stylesheet, so it’s not loaded by default for what I understand.

I hope it helps.


Thanks for the answer @stefanofindsbugs

Best luck