Cross-site scripting – Stored XSS into anchor href attribute with double quotes HTML-encoded | PortSwigger Lab Note #2

target： Lab URL: https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded Tools Used: browser Burp suite Vulnerability Summary： Type: Stored XSS Description: Steps to Exploit： 1.Determine that this is a stored XSS vulnerability because the input does not appear directly in the response. 2.Check the page source and find that the user-supplied website value is reflected inside the href attribute. 3.Inject a payload such as javascript:alert(1) into the href attribute to trigger the XSS. Remediation： The application should implement proper context-aware output encoding to prevent user-supplied data from being interpreted as executable code. All inputs must be safely encoded before being rendered in the browser. Additionally, input validation should be enforced to block dangerous patterns such as "javascript:" URLs. The use of secure frameworks with built-in XSS protection and the implementation of a Content Security Policy (CSP) are r