user6796243 user6796243 - 1 year ago 162
Javascript Question

XSS javascript, exploit check

I am currently working on a page where I need the user to input several variables which when submitted are then displayed throughout the page.

Problem is, it needs to be 100% secure code and whilst I'm ok using PDO/mysql etc javascript is not something I'm very fluent in.

At the moment, I have the following:

<script language="JavaScript">
function showInput() {
document.getElementById('var1').innerText =
document.getElementById('var2').innerText =

with the html

your variable 1 is = <input type="text" name="message" id="user_var1"><br />
your variable 2 is = <input type="text" name="message" id="user_var2"><br />
<input type="submit" onclick="showInput();">
<p>var1 = <span id='var1'></span></p>
<p>var2 = <span id='var2'></span></p>

From what I can tell, using ".innerText" should stop any html etc being used and I have tested with


which results in the above just being printed as is (not run).


your variable 1 is = <script>alert(document.cookie);</script>

Is there anything else you would recommend doing to make sure it is secure (XSS or otherwise)? Only characters that should need to be entered are / and A-Z 0-9

Thanks in advance :)


Just to clarify, the only code is what is above, the page is not pulling data from a database etc (what you see above is virtually the full php page, just missing the html head body tags etc).

Answer Source

Just based on what you're doing above you're not going to have XSS. innerText will do proper escaping.

To have your site be 100% secure is a tall order. Some of the things I'd look at are running your site over HTTPS with HSTS to prevent a network level adversary tampering with the site, parameterizing your SQL queries, adding CSRF tokens as necessary on form submission.

Specifically regarding XSS, one of the most common ways people get XSS'd is because they perform insecure DOM manipulation. If you're concerned about security I'd highly recommend porting your JS to React as you're manipulating a "virtual DOM", which allows React to perform context sensitive escaping. It also takes the burden off of the developer from having to do proper escaping.

One quick security win is adding a CSP policy to your site and setting the script-src directive to self. A CSP policy establishes the context in which certain content can run on your site. So if for example, you have script-src set to self (meaning your JS is loaded in the src attribute of a <script> tag pointing to the same domain as where the HTML is served, and not inline on the page) if someone does XSS it will (most likely*) not run.

These are just some examples of different security solutions available to you and a brief intro to security-in-depth practices. I'm glad you're taking security seriously!

*There are some circumstances (if you're dynamically generating your scripts for example) in which their code could run.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download