\" which would cause an alert box to pop up on your page when the user visits it.","dateCreated":"2022-06-16T08:00:49.399Z","upvoteCount":0,"url":"https://www.mend.io/free-developer-tools/a/community/secure-coding/why-is-a-javascript-call-unsafe-if-it-s-used-to-introduce-valid-javascript-into-the-dom/#62aae33d4aa323c63cd91b10"},"suggestedAnswer":[{"@type":"Answer","text":"A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM. This can be exploited by an attacker to run arbitrary code on the victim's machine. For example, an attacker could use a JavaScript call to insert a malicious script into a webpage. This script would then be executed by the victim's browser, allowing the attacker to take control of the victim's machine.\n\n\nFor example, if you're appending user input to the DOM as plain text, without sanitizing it first, then an attacker could inject valid JavaScript into your page. For example, they could input \"\" which would cause an alert box to pop up on your page when the user visits it.","dateCreated":"2022-06-16T08:00:49.399Z","upvoteCount":0,"url":"https://www.mend.io/free-developer-tools/a/community/secure-coding/why-is-a-javascript-call-unsafe-if-it-s-used-to-introduce-valid-javascript-into-the-dom/#62aae33d4aa323c63cd91b10","author":{"@type":"Person","name":"Alphonse Hancock","image":{"@type":"ImageObject","url":""}}}]}}

Why is a JavaScript call unsafe if it's used to introduce valid JavaScript into the DOM?

Asked 6 months ago

I'm trying to understand why a JavaScript call is unsafe if it can be used to add valid JavaScript into the DOM. Can someone explain this to me with an example?

Alphonse Hancock

Thursday, June 16, 2022

A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM. This can be exploited by an attacker to run arbitrary code on the victim's machine. For example, an attacker could use a JavaScript call to insert a malicious script into a webpage. This script would then be executed by the victim's browser, allowing the attacker to take control of the victim's machine. For example, if you're appending user input to the DOM as plain text, without sanitizing it first, then an attacker could inject valid JavaScript into your page. For example, they could input "<script>alert('xss');</script>" which would cause an alert box to pop up on your page when the user visits it.





Write an answer...

Cancel

Please follow our  Community Guidelines

Can't find what you're looking for?