Reputation: 53
.innerHTML & XSS Prevention
I have the following line of code:
document.getElementById("div-1").innerHTML = userInput;
where userInput is a user provided variable. I realize that a user could easily insert harmful scripts by inserting something like:
<img src="/" onerror="alert('attack');"/>
However, I am unsure if this would be an example of XSS because I feel like that only user that would be affected would be the attacker.
Is this an example of XSS? If so, can you give an example of how an attacker could leverage this vulnerability in the form of an XSS and how this security risk can be mitigated?
Upvotes: 0
Views: 1945
Answers (1)
Reputation: 4416
Yes, this is XSS. If only the attacker him/herself is affected it is called self XSS. However self XSS can often be chained with other bugs such as CSRF to turn the self XSS into a viable attack vector.
If you assign the userInput to .textContent instead of .innerHTML you instruct the browser to treat the data as text and not HTML.
Upvotes: 1
Related Questions
- About innerHTML in JavaScript
- Does 'innerText' prevent XSS?
- How to use innerHTML safely?
- XSS prevention and .innerHTML
- Using innerHTML, and what are security concerns?
- Sanitize innerHTML in javascript
- Preventing XSS in innerHTML attribute
- prevent execution of innerHTML
- Preventing DOM XSS
- Approach XSS prevention on Html page using javascript