Skip to content

Use of msapp.execunsafelocalfunction

What does this mean ?

Disables script injection validation for the passed function within the local context.

What can happen ?

Calling this function can lead to serious security concerns such as HTML and script injection issues.


Use document.createElement() or similar methods instead.

Sample Code

Vulnerable :

MSApp.execUnsafeLocalFunction(function() {
    var body = document.getElementsByTagName('body')[0];
    body.innerHTML = '<div style="color:' + textColor + '">example</div>';

Non Vulnerable :

var body = document.getElementsByTagName('body')[0];

var exampleDiv = document.createElement('div'); = textColor;
exampleDiv.innerText = 'example';