I'm testing xss attacks on my own code. The example beneath is a simple box where an user can type whatever he wants. After pressing "test!" button, JS will show the input string into two divs.This is an example I made to explain better my question:
<html>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
<script type="text/javascript">
function testIt(){
var input = document.getElementById('input-test').value;
var testHtml = document.getElementById('test-html');
var testInnerHTML = document.getElementById('test-innerHTML');
$(testHtml).html(input);
testInnerHTML.innerHTML = input;
}
</script>
<head>this is a test</head>
<body>
<input id="input-test" type="text" name="foo" />
<input type="button" onClick="testIt();" value="test!"/>
<div id="test-html">
</div>
<div id="test-innerHTML">
</div>
</body>
if you try to copy it into a .html file and run it, it will work fine, but if you try to input <script>alert('xss')</script>
, only one alert box will be thrown: the one inside `test-html' div (with html() function).
I really can't understand why this is happening, and also, inspecting the code with firebug gives me this result (after injecting the script)
<body>
this is a test
<input id="input-test" type="text" name="foo">
<input type="button" value="test!" onclick="testIt();">
<div id="test-html"> </div>
<div id="test-innerHTML">
<script>
alert('xss')
</script>
</div>
</body>
as you can see test-html
div is empty, and test-innerhtml
div contans the script. Can someone tell me why? Is because html() is more secure against scripts injection or something similar?
Thanks in advance, best regards.
All HTML elements have inner HTML properties. The . html() jQuery method retrieves the HTML content of the first element in the particular set of matched elements. Remember: jQuery innerHTML does not exist as a function.
It then adds them to the DOM separately in a manner that causes their execution. .html() implicitly causes a few operations (script handling being one) whereas writing to innerHTML simply causes the innerHTML to change, but very little is done with that HTML.
Answer : appendChild is used to insert new node in DOM. innerHTML is a property of DOM that allows to replace content of an element with different HTML, which automatically gets parsed into DOM nodes.
The use of innerHTML creates a potential security risk for your website. Malicious users can use cross-site scripting (XSS) to add malicious client-side scripts that steal private user information stored in session cookies. You can read the MDN documentation on innerHTML .
Contrary to what is being said in the accepted answer, jQuery.html()
and the many jQuery functions which accept HTML strings as arguments are more prone to DOM-based XSS injection than innerHTML
, as noticed by the OP.
jQuery.html()
extracts the <script>
tags, updates the DOM and evaluates the code embedded in the script tags.
As a result, XSS can happen without user interaction even after the DOM is loaded when using jQuery.html()
.
This is very easy to demonstrate.
This will call alert()
:
$('.xss').html('<script>alert("XSS");</script\>');
http://jsfiddle.net/2TpHC/
While this will not:
var d = document.getElementById('xss');
d.innerHTML = '<script\>alert("XSS");</script\>';
http://jsfiddle.net/Tjspu/
Unfortunately, there are many other code paths (sinks) which lead to calling eval()
in jQuery. The security conscious will probably avoid jQuery altogether, as far as possible.
Note that I do not claim that using innerHTML is an effective defense against XSS. It is not. Passing unescaped data to innerHTML is not safe, as pointed out by @daghan. One should always properly escape data when generating HTML.
JQuery strips out the script tags, which is why you aren't seeing it append to the dom let alone executing.
To see an explanation of why jquery strips it out, you can see John Resig's reply here: https://forum.jquery.com/topic/jquery-dommanip-script-tag-will-be-removed
Hope this helps
yes jquery html won't render script tags
but it isn't more secure
because you can use many other xss payloads such as <a href>
style , expression etc..
This is similar to both this question and this one. .html()
strips out the script tags before it inputs the HTML and executes them separately.
As for why the second one is not being executed, it is because dynamically added scripts like that will not be run after the page has been loaded.
But, as @Ben points out, there are a lot of XSS openings when accepting things like that. That said, if the information is being displayed on their own page, they can run any arbitrary code they want on their own machine. The big issue will be if you store this, or send this to other users. Unless you do that, there is no protecting users from themselves in these sorts of regards. Maybe knowing what you're trying to protect against will help.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With