Skip to content

Use of document.write

What does this mean ?

Calls to document.write or document.writeln manipulate DOM directly without any sanitization and should be avoided.

What can happen ?

Untrusted data into the output without encoding it correctly opens the door for reflected XSS attacks. Use document.write to insert plain HTML into the DOM opens the door for DOM XSS attacks.

Recommendation

Use document.createElement() or similar methods instead.

Sample Code

Vulnerable :

<select><script>
    document.write("<OPTION value=1>"+decodeURIComponent(document.location.href.substring(document.location.href.indexOf("default=")+8))+"</OPTION>");

    document.write("<OPTION value=2>English</OPTION>");
</script></select>

References