XSS attack to bypass htmlspecialchars() function in value attribute

Question

Let\'s say we have this form, and the possible part for a user to inject malicious code is this below

...


        

Answer 1

value is a normal HTML attribute, and has nothing to do with Javascript.
Therefore, String.fromCharCode is interpreted as a literal value, and is not executed.

In order to inject script, you first need to force the parser to close the attribute, which will be difficult to do without >'".

You forgot to put quotes around the attribute value, so all you need is a space.

Even if you do quote the value, it may still be vulnerable; see this page.