Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does 'innerText' prevent XSS?

Tags:

javascript

html

xss

If I am going to be displaying user-generated input on my site, is it safe enough to just display it by doing Element.innerText = "user input" in javascript, or do I need to additionally filter the input to prevent XSS?

like image 850
eeze Avatar asked Oct 08 '18 17:10

eeze

People also ask

What method prevents XSS?

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. Encode data on output.

Which is safer innerText or textContent?

Unlike innerHTML, textContent has better performance because its value is not parsed as HTML. For that reason, using textContent can also prevent Cross-Site Scripting (XSS) attacks. Unlike innerText, textContent isn't aware of CSS styling and will not trigger a reflow.

Does URL encoding prevent XSS?

Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.

Does CSP prevent DOM XSS?

CSP is a browser security mechanism that aims to mitigate XSS and some other attacks. It works by restricting the resources (such as scripts and images) that a page can load and restricting whether a page can be framed by other pages.

1 Answers

Does 'innerText' prevent XSS?

Not in all cases! The following excerpt is from the OWASP Foundation regarding unsafe usages of innerText:

One example of an attribute which is thought to be safe is innerText. Some papers or guides advocate its use as an alternative to innerHTML to mitigate against XSS in innerHTML. However, depending on the tag which innerText is applied, code can be executed.

The content provides the following example (which I have modified for clarity)

const tag = document.createElement("script");
tag.innerText = `console.log('Inner Text Used')`;
document.body.appendChild(tag); //executes code

However, in MOST cases, innerText is the method you would use to prevent XSS, and is also documented on OWASP:

... use innerText/textContent. This will solve the problem, and it is the right way to re-mediate DOM based XSS vulnerabilities

like image 114
KevBot Avatar answered Sep 28 '22 03:09

KevBot
Sign in to Comment

Related questions

Why is my function unable to return elements with specific text content?
How do I get the post json when there is a 404 error?
Initialize a two-dimensional array in JavaScript
React | localeCompare sort with null values
How to print whole list in for loop?
Detect that given element has been removed from the DOM without sacrificing performance
eslint 'html-webpack-plugin' should be listed in the project's dependencies, not devDependencies. (import/no-extraneous-dependencies)
TypeError: str.trim is not a function (Request-Promise/Tough-Cookie)
Remove multiple localStorage items
Why FlatList is not updating dynamically in React Native
Unexpected literal in error position of callback in Vue.JS
React native Unable to use local tmp file path for Image.source iOS
angular 6 ERROR ReferenceError: "process is not defined" with elasticsearch js
How can I return the fetch API results form a function?
How to make session last maximum of 30 days using client-sessions duration and activeDuration
Flatmap Promise in JS
Upgrading to Babel-loader 8 from 7? What do I need to change?
VueJS - Validate file size requirement in form file upload
Persisting only some fields from the Reducer
webpack minify HtmlWebpackPlugin

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!