Databases
StackOverflow2013
Postsdbo
POhtml() vs innerHTML jquery/javascript & XSS attacks
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POhtml() vs innerHTML jquery/javascript & XSS attacks
    primarykey
    data
    text
    <p>I'm testing xss attacks on my own code. The example beneath is a simple box where an user can type whatever he wants. After pressing "test!" button, JS will show the input string into two divs.This is an example I made to explain better my question:</p> <pre><code>&lt;html&gt; &lt;script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"&gt;&lt;/script&gt; &lt;script type="text/javascript"&gt; function testIt(){ var input = document.getElementById('input-test').value; var testHtml = document.getElementById('test-html'); var testInnerHTML = document.getElementById('test-innerHTML'); $(testHtml).html(input); testInnerHTML.innerHTML = input; } &lt;/script&gt; &lt;head&gt;this is a test&lt;/head&gt; &lt;body&gt; &lt;input id="input-test" type="text" name="foo" /&gt; &lt;input type="button" onClick="testIt();" value="test!"/&gt; &lt;div id="test-html"&gt; &lt;/div&gt; &lt;div id="test-innerHTML"&gt; &lt;/div&gt; &lt;/body&gt; </code></pre> <p></p> <p>if you try to copy it into a .html file and run it, it will work fine, but if you try to input <code>&lt;script&gt;alert('xss')&lt;/script&gt;</code>, only one alert box will be thrown: the one inside `test-html' div (with html() function).</p> <p>I really can't understand why this is happening, and also, inspecting the code with firebug gives me this result (after injecting the script)</p> <pre><code>&lt;body&gt; this is a test &lt;input id="input-test" type="text" name="foo"&gt; &lt;input type="button" value="test!" onclick="testIt();"&gt; &lt;div id="test-html"&gt; &lt;/div&gt; &lt;div id="test-innerHTML"&gt; &lt;script&gt; alert('xss') &lt;/script&gt; &lt;/div&gt; &lt;/body&gt; </code></pre> <p>as you can see <code>test-html</code> div is empty, and <code>test-innerhtml</code> div contans the script. Can someone tell me why? Is because html() is more secure against scripts injection or something similar?</p> <p>Thanks in advance, best regards.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USBeNdErR
    plurals
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTDuplicate
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POhtml() vs innerHTML jquery/javascript & XSS attacks
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POhtml() vs innerHTML jquery/javascript & XSS attacks
      1. This table or related slice is empty.
      1. VTUpMod
    1. COYou don't have to worry about security as the user types, because whatever script they try to insert will only affect them at that point. What you do need to worry about is what happens when the entered text gets submitted to your webserver - if you're storing it in a database you need to be sure you don't just blindly concatenate the entered text on the end of an SQL query. If you later return previously entered text you need to be sure that the entered value is escaped so that, e.g., "<script>" becomes "&lt;script&gt;" and thus the browser won't recognise it as a script tag.
      singulars
      1. POhtml() vs innerHTML jquery/javascript & XSS attacks
      1. USnnnnnn
    2. COHi nnnnnnn. XSS can occure even if the script never reaches the server. There are two types. Self-XSS where the user is tricked into typing something somehow, and then DOM-based XSS, which means the browser is using untrusted input directly in the browser, which never reaches the server. Typically this could be window.name, window.referer or data from after the # in the url. Lots of big sites around the web (wikipedia, aol, twitter) have had DOM based XSS.
      singulars
      1. POhtml() vs innerHTML jquery/javascript & XSS attacks
      1. USErlend
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload