Skip to content

Use of msapp.execunsafelocalfunction

What does this mean ?

Disables script injection validation for the passed function within the local context.

What can happen ?

Calling this function can lead to serious security concerns such as HTML and script injection issues.

Recommendation

Use document.createElement() or similar methods instead.

Sample Code

Vulnerable :

MSApp.execUnsafeLocalFunction(function() {
    var body = document.getElementsByTagName('body')[0];
    body.innerHTML = '<div style="color:' + textColor + '">example</div>';
});

Non Vulnerable :

var body = document.getElementsByTagName('body')[0];

var exampleDiv = document.createElement('div');
exampleDiv.style.color = textColor;
exampleDiv.innerText = 'example';

body.appendChild(exampleDiv);

References