Why is a JavaScript call unsafe if it's used to introduce valid JavaScript into the DOM?
Asked 2 years ago
I'm trying to understand why a JavaScript call is unsafe if it can be used to add valid JavaScript into the DOM. Can someone explain this to me with an example?
Alphonse Hancock
Thursday, June 16, 2022
A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM. This can be exploited by an attacker to run arbitrary code on the victim's machine. For example, an attacker could use a JavaScript call to insert a malicious script into a webpage. This script would then be executed by the victim's browser, allowing the attacker to take control of the victim's machine. For example, if you're appending user input to the DOM as plain text, without sanitizing it first, then an attacker could inject valid JavaScript into your page. For example, they could input "<script>alert('xss');</script>" which would cause an alert box to pop up on your page when the user visits it.
Please follow our Community Guidelines