How To Prevent The Most Common Cross Site Scripting Attack

Web Dev Simplified · Beginner ·🔐 Cybersecurity ·7y ago

Key Takeaways

The video discusses how to prevent the most common cross-site scripting (XSS) attack by avoiding the use of innerHTML with user input and instead using innerText or escaping user input to prevent JavaScript injection.

Full Transcript

hello everybody how you doing in my JavaScript shopping cart tutorial I got a comment related to JavaScript injection and how it could be a problem for people that are using javascript I figured that this was such a great topic that I've decided to make an entire video about the most common form of JavaScript injection that you'll run into when you're developing your own websites so let's get started doing that right now so I'll have this amazing website that at first glance look completely normal you type in an input here just hi for example you click search and it'll just say you queried hi and in the URL it'll put your query up here that's all it does super simple straightforward website and you'd think there's nothing wrong with this website right type in whatever you want hit enter and there you go shows you exactly what you queried right there but this site is actually vulnerable to JavaScript injection now your first thought would be if you want to inject your author script into a page you'd put some script tags here write some JavaScript inside of it so let's just say hi inside of an alert and then you would end that script tag and you'd think by running this you would inject JavaScript into the page and you are correct you do inject this script tag into the page but script tags will not run when they're injected into the page in this manner in order to actually inject JavaScript into the page we need to use an image tag surprisingly with a blank source when an image tag has no source it'll throw an error so we can use the on error function of this image source to run some code whenever this image gets loaded into our page since there is no source port so we'll just put that alert inside of our on error function here close out our image tag and if we hit search you'll see that we now have this alert box that pops up this is hi I'm anything that we put in outside of here for example when we search it'll show up in here so we've essentially injected JavaScript into the page and now you may be thinking that's not really a problem because you're just injecting JavaScript into your own page so the only person you can affect is yourself but since this query is inside of the URL here if I send this URL to somebody as soon as they go to it it will inject this into their page so for example if I go to a new tab here and search this URL you see that I get this hacked message which is what a hacker would want to do and you may think well what can they do with this they can access some pretty sensitive information for example they can access the document cookies so we'll just go in here with another alert we'll just say document dot cookie and if we run this again you can obviously their they have access to my username and my password which are stored in the cookies for this website now in a normal website they wouldn't actually store your password and username but they will store a session ID which is essentially both your password and user name together and if you have access to that you can log into the site as that user so this is something that a hacker could do in order to gain your information and then all they would have to do inside of their script is just email this or send it to their own site and then they'll have that information available to themselves just based on this simple JavaScript injection that they're able to perform with this search query so now let's look at how we can solve this problem if we look at the actual code for this page here we see that when our page loads we get our query from the URL so we get this attribute here that we sent to the page with the search and then we're setting that to the input so that it's this plate here and we're also setting it to this query output where it says you query it and then whatever you've queried but we're using inner HTML and inner HTML is not safe to injection if the user inputs valid HTML or a script tag or an image tag it'll render that as actual HTML instead of as text in order to get around this all we need to do is change this to be inner text now if we save that and run you see that it just shows the text that they put inside of the input box and not actually injects it into the page and you may think that you're never gonna end up running into this problem because obviously why would you use inner HTML here but there are many instances where you may want to inject dynamic HTML into your page and in order to do that you're going to need to use inner HTML but if you do use inner HTML you need to make sure nothing that goes into that inner age email is sent to you by the user unless you first escape that user input so essentially make us that that user input will render as a string no matter what you do because you escape out all of the different HTML specific symbols so that it can no longer be rendered as HTML and must be rendered as text so I hope you guys enjoyed this quick video on one of the most common ways that JavaScript injection will happen in your web pages thank you guys very much for watching and have a good day

Original Description

Cross site scripting is one of the most common ways that a hacker will attempt to infiltrate a website. There are many different forms of cross site scripting, but the most common cause of cross site scripting is using the JavaScript method innerHTML with user input. Any form of user input must be escaped before being used with innerHTML, and any use of innerHTML should be thoroughly thought out to ensure no user input can make it through without being sanitized. It is such an easy mistake to make, but luckily the fix is also just as easy. Cross Site Scripting Article: https://blog.webdevsimplified.com/2020-09/javascript-xss CodePen For This Video: https://codepen.io/WebDevSimplified/pen/xyRGxw Twitter: https://twitter.com/DevSimplified GitHub: https://github.com/WebDevSimplified CodePen: https://codepen.io/WebDevSimplified #XSS #WebDevelopment #Programming
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Web Dev Simplified · Web Dev Simplified · 24 of 60

1 Introduction to Web Development || Setup || Part 1
Introduction to Web Development || Setup || Part 1
Web Dev Simplified
2 Introduction to Web Development || Understanding the Web || Part 2
Introduction to Web Development || Understanding the Web || Part 2
Web Dev Simplified
3 Introduction to HTML || Your First Web Page || Part 1
Introduction to HTML || Your First Web Page || Part 1
Web Dev Simplified
4 Introduction to HTML || Basic HTML Elements || Part 2
Introduction to HTML || Basic HTML Elements || Part 2
Web Dev Simplified
5 Introduction to HTML || Advanced HTML Elements || Part 3
Introduction to HTML || Advanced HTML Elements || Part 3
Web Dev Simplified
6 Introduction to HTML || Links and Inputs || Part 4
Introduction to HTML || Links and Inputs || Part 4
Web Dev Simplified
7 Learn Git in 20 Minutes
Learn Git in 20 Minutes
Web Dev Simplified
8 5 Must Know Sites For Web Developers
5 Must Know Sites For Web Developers
Web Dev Simplified
9 10 Best Visual Studio Code Extensions
10 Best Visual Studio Code Extensions
Web Dev Simplified
10 Learn CSS in 20 Minutes
Learn CSS in 20 Minutes
Web Dev Simplified
11 How to Style a Modern Website (Part One)
How to Style a Modern Website (Part One)
Web Dev Simplified
12 How to Style a Modern Website (Part Two)
How to Style a Modern Website (Part Two)
Web Dev Simplified
13 3D Flip Button Tutorial
3D Flip Button Tutorial
Web Dev Simplified
14 How to Style a Modern Website (Part Three)
How to Style a Modern Website (Part Three)
Web Dev Simplified
15 Animated Loading Spinner Tutorial
Animated Loading Spinner Tutorial
Web Dev Simplified
16 How to Write the Perfect Developer Resume
How to Write the Perfect Developer Resume
Web Dev Simplified
17 Animated Text Reveal Tutorial
Animated Text Reveal Tutorial
Web Dev Simplified
18 Learn Flexbox in 15 Minutes
Learn Flexbox in 15 Minutes
Web Dev Simplified
19 Custom Checkbox Tutorial
Custom Checkbox Tutorial
Web Dev Simplified
20 Start Contributing to Open Source (Hacktoberfest)
Start Contributing to Open Source (Hacktoberfest)
Web Dev Simplified
21 JavaScript Shopping Cart Tutorial for Beginners
JavaScript Shopping Cart Tutorial for Beginners
Web Dev Simplified
22 Responsive Video Background Tutorial
Responsive Video Background Tutorial
Web Dev Simplified
23 1,000 Subscriber Giveaway
1,000 Subscriber Giveaway
Web Dev Simplified
How To Prevent The Most Common Cross Site Scripting Attack
How To Prevent The Most Common Cross Site Scripting Attack
Web Dev Simplified
25 Transparent Login Form Tutorial
Transparent Login Form Tutorial
Web Dev Simplified
26 The Forgotten CSS Position
The Forgotten CSS Position
Web Dev Simplified
27 How to Code a Card Matching Game
How to Code a Card Matching Game
Web Dev Simplified
28 10 Must Install Visual Studio Code Extensions
10 Must Install Visual Studio Code Extensions
Web Dev Simplified
29 Learn CSS Grid in 20 Minutes
Learn CSS Grid in 20 Minutes
Web Dev Simplified
30 Learn JSON in 10 Minutes
Learn JSON in 10 Minutes
Web Dev Simplified
31 10 Essential Keyboard Shortcuts For Programmers
10 Essential Keyboard Shortcuts For Programmers
Web Dev Simplified
32 What Is The Fastest Way To Load JavaScript
What Is The Fastest Way To Load JavaScript
Web Dev Simplified
33 Differences Between Var, Let, and Const
Differences Between Var, Let, and Const
Web Dev Simplified
34 How To Install MySQL (Server and Workbench)
How To Install MySQL (Server and Workbench)
Web Dev Simplified
35 Learn SQL In 60 Minutes
Learn SQL In 60 Minutes
Web Dev Simplified
36 How To Solve SQL Problems
How To Solve SQL Problems
Web Dev Simplified
37 What Are Design Patterns?
What Are Design Patterns?
Web Dev Simplified
38 Null Object Pattern - Design Patterns
Null Object Pattern - Design Patterns
Web Dev Simplified
39 Your First Node.js Web Server
Your First Node.js Web Server
Web Dev Simplified
40 How To Setup Payments With Node.js And Stripe
How To Setup Payments With Node.js And Stripe
Web Dev Simplified
41 How To Learn Any New Programming Skill Fast
How To Learn Any New Programming Skill Fast
Web Dev Simplified
42 Asynchronous Vs Synchronous Programming
Asynchronous Vs Synchronous Programming
Web Dev Simplified
43 JavaScript ES6 Arrow Functions Tutorial
JavaScript ES6 Arrow Functions Tutorial
Web Dev Simplified
44 Are You Too Old To Learn Programming?
Are You Too Old To Learn Programming?
Web Dev Simplified
45 JavaScript Cookies vs Local Storage vs Session Storage
JavaScript Cookies vs Local Storage vs Session Storage
Web Dev Simplified
46 JavaScript Promises In 10 Minutes
JavaScript Promises In 10 Minutes
Web Dev Simplified
47 Builder Pattern - Design Patterns
Builder Pattern - Design Patterns
Web Dev Simplified
48 JavaScript == VS ===
JavaScript == VS ===
Web Dev Simplified
49 JavaScript ES6 Modules
JavaScript ES6 Modules
Web Dev Simplified
50 8 Must Know JavaScript Array Methods
8 Must Know JavaScript Array Methods
Web Dev Simplified
51 CSS Variables Tutorial
CSS Variables Tutorial
Web Dev Simplified
52 JavaScript Async Await
JavaScript Async Await
Web Dev Simplified
53 How To Choose Your First Programming Language
How To Choose Your First Programming Language
Web Dev Simplified
54 Easiest Way To Work With Web Fonts
Easiest Way To Work With Web Fonts
Web Dev Simplified
55 Singleton Pattern - Design Patterns
Singleton Pattern - Design Patterns
Web Dev Simplified
56 Responsive Navbar Tutorial
Responsive Navbar Tutorial
Web Dev Simplified
57 CSS Progress Bar Tutorial
CSS Progress Bar Tutorial
Web Dev Simplified
58 Learn GraphQL In 40 Minutes
Learn GraphQL In 40 Minutes
Web Dev Simplified
59 What is an API?
What is an API?
Web Dev Simplified
60 Learn How To Build A Website In 1 Hour!
Learn How To Build A Website In 1 Hour!
Web Dev Simplified

This video teaches how to prevent the most common cross-site scripting attack by avoiding the use of innerHTML with user input and instead using innerText or escaping user input. It explains how JavaScript injection can occur and how to protect against it.

Key Takeaways
  1. Use innerText instead of innerHTML when displaying user input
  2. Escape user input to prevent JavaScript injection
  3. Avoid using innerHTML with user input
  4. Use HTML escaping to render user input as text
💡 Using innerHTML with user input can lead to JavaScript injection and cross-site scripting attacks, but using innerText or escaping user input can prevent these vulnerabilities.

Related Reads

📰
Why I built Contextia: stopping secrets before they reach AI chats
Learn how to prevent secrets from being leaked into AI chats with Contextia, a tool that scans chat compositions in real-time
Dev.to AI
📰
The Complete Web Application Penetration Testing Guide (2026)— Part 2
Learn to test web application security by focusing on authentication, authorization, and session management vulnerabilities
Medium · Cybersecurity
📰
The Networking Problem Nobody Talks About (Until It’s Too Late)
Learn about the hidden networking problem that can cripple even the most advanced systems, and why it's crucial for cybersecurity
Medium · Cybersecurity
📰
Built an AI-Powered WAF for PHP/Laravel Apps in Africa — Here’s What It Catches
Learn how a student developer built an AI-powered WAF for PHP/Laravel apps in Africa and what threats it catches
Medium · Programming
Up next
How to Recover from a Site Hack with Sucuri - Detailed Guide
Guide Answers
Watch →