Link rel=canonical XSS exploitation


Hi guys!

Do you know if it is exploitable that I can inject some payload into the link rel=“canonical” tag?

<link rel="canonical" href="{PAYLOAD_HERE}"/>

The > symbol is filtered, the " one is not so I can break the tag attribute but can not escape from it.


Hi skavans,
if you can insert ", then you may want to try to add " rel="import" href="https://someurljusttotest/ and see if the browser (it just works on Chrome) makes a request to someurljusttotest.


It has been a while since the topic have started but I wonder whether you succes to exploit or not. I couldn’t use the technique that @stefanofindsbugs tells. having 2 rel in a tag doesn’t help because browser just care about first one, second one is ignored (at least in latest chrome 63.0.3239 version )


Hi @monochrome, I replied to the other thread you started here Any Idea to Trigger Execution of JavaScript in rel Tag.