Home/ Questions/Q 6875383
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T04:18:57+00:00

I have a disagreement with a security auditor, whether a snippet of html/js is

  • 0

I have a disagreement with a security auditor, whether a snippet of html/js is vulnerable to XSS or not.

In short this is it:

<html>
<form name="myform" action="page.php" method="post" onsubmit="return validate()">
<input name="field" type="text" size="50" />
<input type="submit" value="Submit" />
</form>

<script>
function validate()
{
  var str=document.myform.field.value;
  alert("Error in " + str);
  return false
}
</script>
</html>

So, my auditor says that this can be vulnerable to DOM-based XSS, but has not yet given me an example.

I personally think that it is not, since because of the + inside alert, str is a string so it’s not executed. For example if someone provides “document.cookie” in the form and hits submit, then the alert box is going to print “Error in document.cookie” (and not the actual cookie).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The only way this could be a potential threat is if you are including scripts that are not under your control from an untrustworthy source.

    • The malicious script could overwrite alert to be another function. For example, it could send the data passed to alert to its own servers.
    • The malicious script could overwrite the value of document.myform.field with an object containing a value property. The alert could be thus made to display a message that looked like a different error message, such as:

    Error in authentication. Please go to http://www.phisherman.com and enter your user name and password.

    If you are linking to scripts from untrustworthy sources, you have much greater security concerns than the above.

    If you are linking to no such untrustworthy scripts, then no, this is not vulnerable to DOM-based XSS. form.field.value contains a string. It is not evaluated as script, escape characters have no effect, the string contained in the textbox will be displayed in the alert window. Nothing a user enters in that field could be used to harm your servers or corrupt your data based on the code you’ve posted.

    I’d say that if your auditor is concerned with “DOM-based XSS” where-in a user might cause harm to your servers by manipulating the DOM, your auditor does not know much about DOM and browser-based JavaScript. A user can crack open a JavaScript console and execute all manner of scripts, including XMLHttpRequests to your server that can be made to look like they came from your own script. Precautions need to be made on the server for those types of attacks. Worrying about the security risks to the DOM or UI from user input in form fields is silly.

    • 0