You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: cheatsheets/AJAX_Security_Cheat_Sheet.md
+7-2Lines changed: 7 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,14 +14,15 @@ Manipulating the Document Object Model (DOM) is common in web applications, espe
14
14
15
15
The `innerHTML` property sets or gets the HTML content of an element, including tags, which the browser parses and renders as part of the DOM. For example, setting `innerHTML = "<p>Hello</p>"` creates a paragraph element.
16
16
17
-
##### Why does `innerHTML`requires extreme cautions?
17
+
##### Why does `innerHTML`require extreme caution?
18
18
19
19
Using `innerHTML` with untrusted data (e.g., from API responses in AJAX) can allow malicious JavaScript to execute in the user’s browser, leading to XSS vulnerabilities. Potential risks include:
20
20
21
21
- Stealing user session cookies.
22
22
- Defacing the website.
23
23
- Redirecting users to malicious sites.
24
24
- Performing unauthorized actions (e.g., API calls on behalf of the user).
-**Use `textContent`**: Use textContent in monolithic applications to safely insert plain text content returned from APIs.
81
82
-**Use `innerText`**: Only when CSS visibility or rendered text formatting (e.g. ignoring text in `display: none` elements) is required.
82
83
84
+
> Note: `textContent` is slightly faster and more predictable; use it unless you need to respect rendered text formatting (`innerText`).
85
+
83
86
##### Note
84
87
85
88
- While `textContent` and `innerText` are safe for inserting plain text into the DOM, they do not protect against XSS in other contexts such as HTML attributes, JavaScript event handlers, or URLs. Always validate and sanitize untrusted input.
`eval()` function is dangerous, never use it. Needing to use eval() usually indicates a problem in your design.
91
94
95
+
> Note: Using `eval()` or `new Function()` opens doors to remote code execution and XSS. Avoid it entirely.
96
+
92
97
#### Encode Data Before Use in an Output Context
93
98
94
99
When using data to build HTML, script, CSS, XML, JSON, etc., make sure you take into account how that data must be presented in a literal sense to keep its logical meaning.
95
100
96
-
Data should be properly encoded before used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved.
101
+
Data should be properly encoded before being used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved.
97
102
98
103
[Check out the OWASP Java Encoder Project.](https://owasp.org/www-project-java-encoder/)
0 commit comments