I am able to modify the following contents to include anything I want here besides double quotations:

<div style="background-image:url('/api/assets/##HERE##');"></div> 

Is there a XSS vulnerability possible here? I know it’s possible with double quotes, but it seems like the only character that I won’t be able to input – unless there is a way around it.

Edit: After messing around with this idea a lot more, it doesn’t seem like this will work, unfortunately. In most modern browsers, JS won’t run within a style tag for security reasons. And trust me, I really tried, to the point where I embedded SVGs with JS into the background-image:url(), then used base64 in an attempt to obfuscate it. The SVG viewed fine, but the JS didn’t run.

I’m starting to believe the only way to reach XSS would be to find a way to input double quotes so I can leave the style tag. The reason I’m unable to (from my understanding) is that my input is being sent inside of a JSON format. Then, the raw input inside that JSON is placed into that ###HERE### portion shown earlier. Double quotes break the JSON structure (afaik), and since the raw input is being used, encoding the quotations never seems to get decoded. Any ideas are highly appreciated, we can break this together 😂