XSS and Applet/Param HTML Keywords

I have a Web application and have run a XSS scan on it and it reports that one of my pages that has a Java applet in it could potentially be open to XSS.

The test managed to assign a javascript alert box to the following HTML code:

<param name='id' value='' onMouseOver=alert(40041)>

My question is - Is this a valid test? Will doing any XSS javascript manipulation on Param objects cause any real world issue? I don't think a MouseOver on a param object will do anything.

Thanks

This is a valid test and it may be a serious vulnerability.

If contents of value was not escaped then the attacker could close the tag and add any other script.

Even if <> are escaped/stripped, but quotes aren't, it may still be exploitable: attacker could attach event handlers like onload and onerror. In modern browsers every element can be made visible (e.g. even <head>), so style could make <param> hoverable too.

It's quite simple to protect against XSS like this. When generating attributes always use quotes and in the value change:

• & to &
• < to <,
• ' to &x39;
• and " to ".

and you won't have to worry what bad things could happen with hijacked <param>.