Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is createTextNode completely safe from HTML injection & XSS?

I'm working on a single page webapp. I'm doing the rendering by directly creating DOM nodes. In particular, all user-supplied data is added to the page by creating text nodes with document.createTextNode("user data").

Does this approach avoid any possibility of HTML injection, cross site scripting (XSS), and all the other evil things users could do?

like image 728
Brian Reischl Avatar asked Jul 25 '12 16:07

Brian Reischl


People also ask

Does HTML encoding prevent XSS?

Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.

Is innerText safe from XSS?

Usually Safe MethodsOne example of an attribute which is thought to be safe is innerText . Some papers or guides advocate its use as an alternative to innerHTML to mitigate against XSS in innerHTML .

Is XSS and HTML injection the same?

HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.

Is DOMParser safe?

DOMParser created documents are created with scripting disabled; the script is parsed, but not run, so it should be safe against XSS.


1 Answers

It creates a plain text node, so yes, as far as it goes.

It is possible to create an XSS problem by using an unsafe method to get the data from whatever channel it is being input into to createTextNode though.

e.g. The following would be unsafe:

document.createTextNode('<?php echo $_GET['xss']; ?>');

… but the danger is from the PHP echo, not the JavaScript createTextNode.

like image 70
Quentin Avatar answered Oct 10 '22 21:10

Quentin