Menu
I'm doing element.textContent = unescapedData to put unescaped user input on a website. Is there any way for an attacker to do something bad using this?
Also, is there any way for an attacker to affect the page outside of element (meaning outside the 30rem by 3rem box) if it has the following css?
max-width: 30rem;
max-height: 3rem;
overflow: hidden;
I've thought about using weird or invalid Unicode characters, but couldn't find any information on how to accomplish this.
382
textContents is all text contained by an element and all its children that are for formatting purposes only. innerText returns all text contained by an element and all its child elements.
Differences: As we can see from the example above, the innerHTML property gets or sets HTML contents of the element. The textContent does not automatically encode and decode text and hence allows us to work with only the content part of the element.
The textContent property in HTML is used to set or return the text content of the specified node and all its descendants. This property is very similar to nodeValue property but this property returns the text of all child nodes. Syntax: It is used to set the text of node.
The textContent property sets or returns the text content of the specified node, and all its descendants.
The relevant spec seems to be at https://dom.spec.whatwg.org/#dom-node-textcontent. Assuming element is an Element or DocumentFragment, a Text node is created and its data is set to the string unescapedData.
And this Is a DOM Text Node guaranteed to not be interpreted as HTML? seems pretty definitive that a browser won't render a Text node as anything but text. I haven't tracked that down in the spec yet.
So, unless the browser is defective, the answers are "no" and "no".
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
