\" which would cause an alert box to pop up on your page when the user visits it.","dateCreated":"2022-06-16T08:00:49.399Z","upvoteCount":0,"url":"https://www.mend.io/free-developer-tools/a/community/secure-coding/why-is-a-javascript-call-unsafe-if-it-s-used-to-introduce-valid-javascript-into-the-dom/#62aae33d4aa323c63cd91b10"},"suggestedAnswer":[{"@type":"Answer","text":"A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM. This can be exploited by an attacker to run arbitrary code on the victim's machine. For example, an attacker could use a JavaScript call to insert a malicious script into a webpage. This script would then be executed by the victim's browser, allowing the attacker to take control of the victim's machine.\n\n\nFor example, if you're appending user input to the DOM as plain text, without sanitizing it first, then an attacker could inject valid JavaScript into your page. For example, they could input \"\" which would cause an alert box to pop up on your page when the user visits it.","dateCreated":"2022-06-16T08:00:49.399Z","upvoteCount":0,"url":"https://www.mend.io/free-developer-tools/a/community/secure-coding/why-is-a-javascript-call-unsafe-if-it-s-used-to-introduce-valid-javascript-into-the-dom/#62aae33d4aa323c63cd91b10","author":{"@type":"Person","name":"Alphonse Hancock","image":{"@type":"ImageObject","url":""}}}]}}

Why is a JavaScript call unsafe if it's used to introduce valid JavaScript into the DOM?

Asked 2 years ago

I'm trying to understand why a JavaScript call is unsafe if it can be used to add valid JavaScript into the DOM. Can someone explain this to me with an example?

Javascript Secure coding

Alphonse Hancock

Thursday, June 16, 2022

A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM. This can be exploited by an attacker to run arbitrary code on the victim's machine. For example, an attacker could use a JavaScript call to insert a malicious script into a webpage. This script would then be executed by the victim's browser, allowing the attacker to take control of the victim's machine. For example, if you're appending user input to the DOM as plain text, without sanitizing it first, then an attacker could inject valid JavaScript into your page. For example, they could input "<script>alert('xss');</script>" which would cause an alert box to pop up on your page when the user visits it.

Write an answer...﻿

Cancel

Please follow our Community Guidelines

Why is a JavaScript call unsafe if it's used to introduce valid JavaScript into the DOM?

Related Posts

What are the benefits of using a package manager like npm?

What is the difference between an X-CSRF-TOKEN and X-XSRF-TOKEN?

What is the resolution for the "Cannot find module" error when using Node.js?

How do I generate a package-lock.json file?

What is the difference between Gulp, NPM, and Bower?

What is the command to list all package versions from a yarn.lock file in yarn3.x?

I have node.js code that's being used by my python code. How do I set Python up to know about the node.js dependencies?

I can't use npm --version in windows 11. Is there a way to fix this?

How do you set the custom location for a local installation of package when using npm?

I keep getting 404 when trying to install an npm package. Why is that?

Can't find what you're looking for?