[OpenAjaxSecurity] innerHTML?

Jon Ferraiolo jferrai at us.ibm.com
Fri Jul 20 10:31:11 PDT 2007


Hi Gorm,
I got your note about whether we should say something in the security white
paper about innerHTML and code injection risks. I am copying the Security
TF to allow the experts to respond.

It does seem to me that we should mention and show an example of how there
is a vulnerability where client-side JavaScript assumes that the content
model for an HTML element is plain text and then simply does an
    myElement.innerHTML = textStringFromServer
but if the textStringFromServer looked like this "<script>...</script>"
then script would be injected.

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070720/bf5f2390/attachment.html 


More information about the security mailing list