Skip to content

Use of unsafe HTML

What does this mean ?

Incorrect usage of innerHTML can expose you to a cross-site scripting (XSS) attack. Sanitizing user input for display is famously error-prone, and failure to properly sanitize is one of the major sources of internet web vulnerabilities.

What can happen ?

If the function is not described as harmful or dangerous, a client may mistakenly utilize inputs that include unsafe HTML fragments, making the client vulnerable to cross-site scripting attacks.

Recommendation

All library functions that might lead to cross-site scripting attacks should be documented, and dangerous inputs should be avoided when dynamic HTML generation is not needed.

Sample Code

Vulnerable :

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>contact</a>";

Non Vulnerable :

foo.innerHTML = 7;
bar.innerHTML = "<a href='/contact.html'>contact</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>contact</a>`;

References