DEV Community


Discussion on: Recovering From jQuery

jeyj0 profile image
Jannis Jorre

Just dropping in to say that you shouldn't use .innerHTML unless you can be 100% sure that what you'll insert is safe. XSS (Cross-site-scripting) is a very relevant attack vector.
Of course if the whole site is built on it, it's hard to migrate to .innerText, because it's just not a replacement. But still, .innerHTML opens up your app to all sorts of issues.

(Classic example attack:
Site's behavior: user enters information like their username, sends it to server, server responds with HTML including that username which is inserted using .innerHTML.
The attack: simply an added <script>...</script>-Tag, which can now wreak hammock on the site. Not very interesting if it's only rendered to the same user, but extremely interesting if the username is rendered into the markup of the page while another user is logged in (or even better: is logging in, so the script could read the password).)

Even better than .innerText would be appendChild and friends, of course, but that's more advanced.

Thanks for all the links! I'll pass them on whenever someone tells me how much easier jQuery is compared to JS😜