XSS
Introduction
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Example
function renderMessages() {
let messageItems = '';
for (const message of userMessages) {
messageItems = `
${messageItems}
<li class="message-item">
<div class="message-image">
<img src="${message.image}" alt="${message.text}">
</div>
<p>${message.text}</p>
</li>
`;
}
userMessagesList.innerHTML = messageItems;
}
function formSubmitHandler(event) {
event.preventDefault();
const userMessageInput = event.target.querySelector('textarea');
const messageImageInput = event.target.querySelector('input');
const userMessage = userMessageInput.value;
const imageUrl = messageImageInput.value;
if (
!userMessage ||
!imageUrl ||
userMessage.trim().length === 0 ||
imageUrl.trim().length === 0
) {
alert('Please insert a valid message and image.');
return;
}
userMessages.push({
text: userMessage,
image: imageUrl,
});
userMessageInput.value = '';
messageImageInput.value = '';
renderMessages();
}
Prevention
Encode data on output
Validate input on arrival
Reference
Last updated
Was this helpful?