Gareth Heyes is a great security guy, as you can also visit his blog The Spanner. The newly released HTML 5 is now under the eyes of hackers and it wasn't late that the New Xss vectors have been released by Gareth Heyes .
These New Xss vectors according to Gareth are automatic in major Web Browsers from Safari, Chrome to Opera all support them. And its a matter of fact that Gareth also featured them on twitter too.
The injection looks something like:-
The new HTML 5 works on some other vectors and uses, but the great thing in there is that you don't need to bind your Xss into a css style in here. HTML5 however lets us execute like expressions but without css styles….
We use the “autofocus” feature to focus our element and then the onfocus event to execute our XSS. This works with a plethora (I like that word) of tags. Any form based element it seems you can use this method:-
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
This New Xss vectors majorly uses the onfocus HTML 5 expression to make the use of Xss on the major browsers using HTML 5 right now like Safari, Chrome, Opera, Might be Firefox too.