Just dropping in to say that you shouldn't use .innerHTML unless you can be 100% sure that what you'll insert is safe. XSS (Cross-site-scripting) is a very relevant attack vector.
Of course if the whole site is built on it, it's hard to migrate to .innerText, because it's just not a replacement. But still, .innerHTML opens up your app to all sorts of issues.
(Classic example attack:
Site's behavior: user enters information like their username, sends it to server, server responds with HTML including that username which is inserted using .innerHTML.
The attack: simply an added <script>...</script>-Tag, which can now wreak hammock on the site. Not very interesting if it's only rendered to the same user, but extremely interesting if the username is rendered into the markup of the page while another user is logged in (or even better: is logging in, so the script could read the password).)
Even better than .innerText would be appendChild and friends, of course, but that's more advanced.
Thanks for all the links! I'll pass them on whenever someone tells me how much easier jQuery is compared to JSð
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Just dropping in to say that you shouldn't use
.innerHTML
unless you can be 100% sure that what you'll insert is safe. XSS (Cross-site-scripting) is a very relevant attack vector.Of course if the whole site is built on it, it's hard to migrate to
.innerText
, because it's just not a replacement. But still,.innerHTML
opens up your app to all sorts of issues.(Classic example attack:
Site's behavior: user enters information like their username, sends it to server, server responds with HTML including that username which is inserted using
.innerHTML
.The attack: simply an added
<script>...</script>
-Tag, which can now wreak hammock on the site. Not very interesting if it's only rendered to the same user, but extremely interesting if the username is rendered into the markup of the page while another user is logged in (or even better: is logging in, so the script could read the password).)Even better than
.innerText
would beappendChild
and friends, of course, but that's more advanced.Thanks for all the links! I'll pass them on whenever someone tells me how much easier jQuery is compared to JSð