How To Prevent The Most Common Cross Site Scripting Attack
Key Takeaways
The video discusses how to prevent the most common cross-site scripting (XSS) attack by avoiding the use of innerHTML with user input and instead using innerText or escaping user input to prevent JavaScript injection.
Full Transcript
hello everybody how you doing in my JavaScript shopping cart tutorial I got a comment related to JavaScript injection and how it could be a problem for people that are using javascript I figured that this was such a great topic that I've decided to make an entire video about the most common form of JavaScript injection that you'll run into when you're developing your own websites so let's get started doing that right now so I'll have this amazing website that at first glance look completely normal you type in an input here just hi for example you click search and it'll just say you queried hi and in the URL it'll put your query up here that's all it does super simple straightforward website and you'd think there's nothing wrong with this website right type in whatever you want hit enter and there you go shows you exactly what you queried right there but this site is actually vulnerable to JavaScript injection now your first thought would be if you want to inject your author script into a page you'd put some script tags here write some JavaScript inside of it so let's just say hi inside of an alert and then you would end that script tag and you'd think by running this you would inject JavaScript into the page and you are correct you do inject this script tag into the page but script tags will not run when they're injected into the page in this manner in order to actually inject JavaScript into the page we need to use an image tag surprisingly with a blank source when an image tag has no source it'll throw an error so we can use the on error function of this image source to run some code whenever this image gets loaded into our page since there is no source port so we'll just put that alert inside of our on error function here close out our image tag and if we hit search you'll see that we now have this alert box that pops up this is hi I'm anything that we put in outside of here for example when we search it'll show up in here so we've essentially injected JavaScript into the page and now you may be thinking that's not really a problem because you're just injecting JavaScript into your own page so the only person you can affect is yourself but since this query is inside of the URL here if I send this URL to somebody as soon as they go to it it will inject this into their page so for example if I go to a new tab here and search this URL you see that I get this hacked message which is what a hacker would want to do and you may think well what can they do with this they can access some pretty sensitive information for example they can access the document cookies so we'll just go in here with another alert we'll just say document dot cookie and if we run this again you can obviously their they have access to my username and my password which are stored in the cookies for this website now in a normal website they wouldn't actually store your password and username but they will store a session ID which is essentially both your password and user name together and if you have access to that you can log into the site as that user so this is something that a hacker could do in order to gain your information and then all they would have to do inside of their script is just email this or send it to their own site and then they'll have that information available to themselves just based on this simple JavaScript injection that they're able to perform with this search query so now let's look at how we can solve this problem if we look at the actual code for this page here we see that when our page loads we get our query from the URL so we get this attribute here that we sent to the page with the search and then we're setting that to the input so that it's this plate here and we're also setting it to this query output where it says you query it and then whatever you've queried but we're using inner HTML and inner HTML is not safe to injection if the user inputs valid HTML or a script tag or an image tag it'll render that as actual HTML instead of as text in order to get around this all we need to do is change this to be inner text now if we save that and run you see that it just shows the text that they put inside of the input box and not actually injects it into the page and you may think that you're never gonna end up running into this problem because obviously why would you use inner HTML here but there are many instances where you may want to inject dynamic HTML into your page and in order to do that you're going to need to use inner HTML but if you do use inner HTML you need to make sure nothing that goes into that inner age email is sent to you by the user unless you first escape that user input so essentially make us that that user input will render as a string no matter what you do because you escape out all of the different HTML specific symbols so that it can no longer be rendered as HTML and must be rendered as text so I hope you guys enjoyed this quick video on one of the most common ways that JavaScript injection will happen in your web pages thank you guys very much for watching and have a good day
Original Description
Cross site scripting is one of the most common ways that a hacker will attempt to infiltrate a website. There are many different forms of cross site scripting, but the most common cause of cross site scripting is using the JavaScript method innerHTML with user input. Any form of user input must be escaped before being used with innerHTML, and any use of innerHTML should be thoroughly thought out to ensure no user input can make it through without being sanitized. It is such an easy mistake to make, but luckily the fix is also just as easy.
Cross Site Scripting Article:
https://blog.webdevsimplified.com/2020-09/javascript-xss
CodePen For This Video:
https://codepen.io/WebDevSimplified/pen/xyRGxw
Twitter:
https://twitter.com/DevSimplified
GitHub:
https://github.com/WebDevSimplified
CodePen:
https://codepen.io/WebDevSimplified
#XSS #WebDevelopment #Programming
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Web Dev Simplified · Web Dev Simplified · 24 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
▶
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Introduction to Web Development || Setup || Part 1
Web Dev Simplified
Introduction to Web Development || Understanding the Web || Part 2
Web Dev Simplified
Introduction to HTML || Your First Web Page || Part 1
Web Dev Simplified
Introduction to HTML || Basic HTML Elements || Part 2
Web Dev Simplified
Introduction to HTML || Advanced HTML Elements || Part 3
Web Dev Simplified
Introduction to HTML || Links and Inputs || Part 4
Web Dev Simplified
Learn Git in 20 Minutes
Web Dev Simplified
5 Must Know Sites For Web Developers
Web Dev Simplified
10 Best Visual Studio Code Extensions
Web Dev Simplified
Learn CSS in 20 Minutes
Web Dev Simplified
How to Style a Modern Website (Part One)
Web Dev Simplified
How to Style a Modern Website (Part Two)
Web Dev Simplified
3D Flip Button Tutorial
Web Dev Simplified
How to Style a Modern Website (Part Three)
Web Dev Simplified
Animated Loading Spinner Tutorial
Web Dev Simplified
How to Write the Perfect Developer Resume
Web Dev Simplified
Animated Text Reveal Tutorial
Web Dev Simplified
Learn Flexbox in 15 Minutes
Web Dev Simplified
Custom Checkbox Tutorial
Web Dev Simplified
Start Contributing to Open Source (Hacktoberfest)
Web Dev Simplified
JavaScript Shopping Cart Tutorial for Beginners
Web Dev Simplified
Responsive Video Background Tutorial
Web Dev Simplified
1,000 Subscriber Giveaway
Web Dev Simplified
How To Prevent The Most Common Cross Site Scripting Attack
Web Dev Simplified
Transparent Login Form Tutorial
Web Dev Simplified
The Forgotten CSS Position
Web Dev Simplified
How to Code a Card Matching Game
Web Dev Simplified
10 Must Install Visual Studio Code Extensions
Web Dev Simplified
Learn CSS Grid in 20 Minutes
Web Dev Simplified
Learn JSON in 10 Minutes
Web Dev Simplified
10 Essential Keyboard Shortcuts For Programmers
Web Dev Simplified
What Is The Fastest Way To Load JavaScript
Web Dev Simplified
Differences Between Var, Let, and Const
Web Dev Simplified
How To Install MySQL (Server and Workbench)
Web Dev Simplified
Learn SQL In 60 Minutes
Web Dev Simplified
How To Solve SQL Problems
Web Dev Simplified
What Are Design Patterns?
Web Dev Simplified
Null Object Pattern - Design Patterns
Web Dev Simplified
Your First Node.js Web Server
Web Dev Simplified
How To Setup Payments With Node.js And Stripe
Web Dev Simplified
How To Learn Any New Programming Skill Fast
Web Dev Simplified
Asynchronous Vs Synchronous Programming
Web Dev Simplified
JavaScript ES6 Arrow Functions Tutorial
Web Dev Simplified
Are You Too Old To Learn Programming?
Web Dev Simplified
JavaScript Cookies vs Local Storage vs Session Storage
Web Dev Simplified
JavaScript Promises In 10 Minutes
Web Dev Simplified
Builder Pattern - Design Patterns
Web Dev Simplified
JavaScript == VS ===
Web Dev Simplified
JavaScript ES6 Modules
Web Dev Simplified
8 Must Know JavaScript Array Methods
Web Dev Simplified
CSS Variables Tutorial
Web Dev Simplified
JavaScript Async Await
Web Dev Simplified
How To Choose Your First Programming Language
Web Dev Simplified
Easiest Way To Work With Web Fonts
Web Dev Simplified
Singleton Pattern - Design Patterns
Web Dev Simplified
Responsive Navbar Tutorial
Web Dev Simplified
CSS Progress Bar Tutorial
Web Dev Simplified
Learn GraphQL In 40 Minutes
Web Dev Simplified
What is an API?
Web Dev Simplified
Learn How To Build A Website In 1 Hour!
Web Dev Simplified
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Why I built Contextia: stopping secrets before they reach AI chats
Dev.to AI
The Complete Web Application Penetration Testing Guide (2026)— Part 2
Medium · Cybersecurity
The Networking Problem Nobody Talks About (Until It’s Too Late)
Medium · Cybersecurity
Built an AI-Powered WAF for PHP/Laravel Apps in Africa — Here’s What It Catches
Medium · Programming
🎓
Tutor Explanation
DeepCamp AI