Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

vulnerabilities of letting user define innerHTML

Let's say I have a <textarea> and <div> element, and when the user puts html, CSS, or whatever they want), into the textarea, then their input is set as the innerHTML of the <div> element, using javascript.

What are the vulnerabilities of letting the user define the content of a <div> element?

like image 668
Web_Designer Avatar asked Apr 29 '11 01:04

Web_Designer


People also ask

What is the danger of using innerHTML?

The use of innerHTML creates a potential security risk for your website. Malicious users can use cross-site scripting (XSS) to add malicious client-side scripts that steal private user information stored in session cookies. You can read the MDN documentation on innerHTML .

Why you should not use innerHTML in JavaScript?

Can break the document: There is no proper validation provided by innerHTML, so any valid HTML code can be used. This may break the document of JavaScript. Even broken HTML can be used, which may lead to unexpected problems.

Is it good to use innerHTML?

Security considerations HTML specifies that a <script> tag inserted with innerHTML should not execute. For that reason, it is recommended that instead of innerHTML you use: Element. SetHTML() to sanitize the text before it is inserted into the DOM.

What is the main purpose of innerHTML?

Definition and Usage The innerHTML property sets or returns the HTML content (inner HTML) of an element.


1 Answers

If the content they enter does not leave the page, there is no more risk than them editing the DOM through firebug or the chrome inspector. If you take their input and then display it as is, that is a huge security risk especially when other users are on your website.

like image 52
Max Avatar answered Sep 28 '22 12:09

Max