Summary

/claim #5838

Adds pkg/fuzz/analyzers/xss/ — a standalone XSS context analyzer that determines where in an HTML document a reflected fuzz marker lands, then returns context-appropriate exploit payloads with confidence scores.

Fixes the javascript: URI misclassification described in #7086.

Problem

The fuzzing engine finds reflections but has no way to tell where in the HTML the value lands. Without context, you either spray every XSS payload everywhere (slow, noisy, false-positive-heavy) or miss valid injection points entirely.

Solution

AnalyzeReflectionContext(responseBody, marker string) XSSResult

Uses golang.org/x/net/html tokenizer (already in go.mod) to walk the HTML token stream. Returns a full XSSResult with:

• Context (16 types — see table below)
• Payloads — ordered list of exploit candidates best suited to the context
• BreakoutSeq — minimal sequence to escape the current context
• Confidence — 0.0–1.0 score
• IsExecutableSink — true when JS runs directly without additional breakout
• Explanation — human-readable description
• QuoteChar, AttributeName, TagName — structural metadata

AnalyzeAllReflections scans the entire document for all occurrences; AnalyzeReflectionContext returns the most exploitable one.

Implements the analyzers.Analyzer interface (registered as "xss_context") so it can be referenced in template YAML.

Context types (16)

Key correctness decisions

javascript: URI executability is tag-aware (fixes #7086):

• <a href="javascript:"> → ContextScript ✓ (executes)
• <iframe src="javascript:"> → ContextScript ✓ (executes)
• <img src="javascript:"> → ContextAttributeURL ✓ (does NOT execute)
• <script src="javascript:"> → ContextAttributeURL ✓ (does NOT execute)

First type attribute wins on <script> (HTML5 spec):

• <script type="application/json" type="text/javascript"> → ContextScriptData (non-executable)

TagAttr() single-pass — the tokenizer’s attribute iterator is forward-only. Scanning in one pass prevents silent attribute dropping (e.g. <script src="MARKER"> would be missed in a two-pass approach).

Quote style detection — the raw HTML source is probed to determine the actual delimiter (", ', or unquoted) so breakout sequences are correct.

Test coverage (55 test cases + 3 benchmarks, all pass)

$ go test ./pkg/fuzz/analyzers/xss/... -v
...
PASS
ok  github.com/projectdiscovery/nuclei/v3/pkg/fuzz/analyzers/xss

Covers:

• All 16 context types
• javascript: URI across 7 different tag+attr combos
• Event handler with single/double quote variants
• First-type-wins for duplicate type attrs on <script>
• Case-insensitive marker matching
• Nested quotes (double inside single and vice versa)
• Template literal detection
• Multiple reflections in one document (best context selected)
• Empty / missing inputs

Benchmarks (Apple M4):

BenchmarkAnalyzeReflectionContext_HTMLBody        898772   1267 ns/op    4896 B/op    21 allocs/op
BenchmarkAnalyzeReflectionContext_LargeDocument     9140  131626 ns/op  44468 B/op  1815 allocs/op
BenchmarkAnalyzeAllReflections                    677701   2145 ns/op    6208 B/op    32 allocs/op

Checklist

• PR created against dev branch
• New package only — no modifications to existing files
• Tests added (55 cases + 3 benchmarks)
• All tests pass
• go build ./pkg/fuzz/... succeeds
• Implements analyzers.Analyzer interface
• javascript: URI misclassification (#7086) fixed with tag-aware sink map

Summary by CodeRabbit

• New Features

  • New XSS reflection analyzer: detects and ranks reflections across HTML and JSON contexts (body, comments, attributes, scripts, styles, templates, srcdoc), reports confidence, and suggests context-aware proof‑of‑concept payloads and breakout guidance when exploitable reflections are found. Integrated into the scanning flow for automated analysis.

• Tests

  • Comprehensive test suite covering context detection, prioritization, payloads, edge cases, and benchmarks.