Despite my paranoia I’ve never really gotten around to understanding web security more, so my lack of knowledge is causing me a bit of confusion for this.
Example: Let’s say you have 2 text boxes, both are for user input.
The user types in whatever they want into those two text boxes and clicks a button, the button then uses a bit of JavaScript and concatenates whatever is in those two text boxes and displays it out in a div.
My question is, in this case, since it’s using JavaScript client side, do you need to really sanitize user input?
What if it outputted to a text box instead of a div? Or as an alert?
I understand that when it comes to forms/PHP you always want to sanitize input, but I’m not really familiar with JavaScript security precautions.
It’s my understanding that since this is client-side, and no data is being saved by the server, that whatever the user does (tries to throw in some malicious code or whatnot) won’t affect anyone but that user, correct?
No this is not a security issue. The reason why is because an attacker has to force a victim’s the browser into making this action in order for it to be XSS.
However, if you grab input from something like
document.locationand then print it to the page usingdocument.write()then this is DOM based XSS. But this is very a uncommon form of XSS.