发表新帖
发表新帖

Does 'innerText' prevent XSS?

前端 未结
关注
1 662
挽巷
挽巷 2021-01-18 04:07

If I am going to be displaying user-generated input on my site, is it safe enough to just display it by doing Element.innerText = \"user input\" in javascript,

相关标签:
1条回答
  • 旧时难觅i
    2021-01-18 04:34

    Does 'innerText' prevent XSS?

    Not in all cases! The following excerpt is from the OWASP Foundation regarding unsafe usages of innerText:

    One example of an attribute which is thought to be safe is innerText. Some papers or guides advocate its use as an alternative to innerHTML to mitigate against XSS in innerHTML. However, depending on the tag which innerText is applied, code can be executed.

    The content provides the following example (which I have modified for clarity)

    const tag = document.createElement("script");
tag.innerText = `console.log('Inner Text Used')`;
document.body.appendChild(tag); //executes code

    However, in MOST cases, innerText is the method you would use to prevent XSS, and is also documented on OWASP:

    ... use innerText/textContent. This will solve the problem, and it is the right way to re-mediate DOM based XSS vulnerabilities

    0 讨论(0)
 看不清?
提交回复
热议问题