24 lines
698 B
Plaintext
24 lines
698 B
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
Example of basic DOM-XSS attack (http://vulnerable/page.html#<img onerror='alert(1); src='invalid-image' />):
|
|
|
|
----
|
|
const rootDiv = document.getElementById('root');
|
|
const hash = decodeURIComponent(location.hash.substr(1));
|
|
rootDiv.innerHTML = hash;
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText[innerText] property of an html element sets or returns the text content of the element (removing all child nodes):
|
|
|
|
----
|
|
const rootDiv = document.getElementById('root');
|
|
const hash = decodeURIComponent(location.hash.substr(1));
|
|
rootDiv.innerText = hash;
|
|
----
|
|
|
|
include::../see.adoc[]
|