Benjamin Anderson
Reputation: 43
setAttribute() and XSS
I'm writing a script that needs to write the current page location to the DOM, and I'm concerned about XSS. Is the following Javascript snippet safe from XSS?
var script = document.createElement('script');
script.setAttribute('src', 'http://fake.com?src=' + encodeURIComponent(document.location.href));
document.getElementsByTagName('head')[0].appendChild(script);
I know that using document.write() to accomplish the same thing is not safe in various browsers, but I've not seen any source discussing if using the DOM access methods is.
Upvotes: 4
Views: 3412
Answers (1)
Pointy
Reputation: 413916
There's no need to use "setAttribute":
script.src = 'http://fake.com?src=' + encodeURIComponent(document.location.href);
I don't see where an XSS vulnerability would sneak in here. The server code at "fake.com" has to be "hardened" against weird values of that "src" parameter, I suppose, but that's going to be true no matter what your Javascript looks like.
Upvotes: 8
Related Questions
- Javascript setAttribute not working properly
- Does setAttribute automatically escape HTML characters?
- setattribute in javascript
- Do I need to escape attributes when setting an attribute with JavaScript?
- setAttribute not working properly
- setAttribute is not working in JavaScript
- javascript trouble with the setattributefunction
- alternatives to setAttribute
- JavaScript setAttribute not working
- javascript setAttribute