Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it 100% safe to do the following?:
var untrusted_input_from_3rd_party = '<script>alert("xss")<\/script>';
document.getElementsByTagName('body')[0].appendChild(document.createTextNode(untrusted_input_from_3rd_party));
Considering that the third party can input anything (HTML, CSS, etc.), can I be sure it won’t do any harm if I pass it through createTextNode and then add it to the dom?
This is a fine way to prevent XSS. DOM manipulation via
createTextNodeis widely used to safely embed third party text.That said, there are problems besides XSS.
It doesn’t do anything to stop social engineering attempts if the untrusted input is something like:
The best way to prevent social engineering (besides not including third-party content) is to make it clear that the content comes from a third party.