Skip to content

Commit 32890f1

Browse files
Rick-AndersonRick-Anderson
authored
Update cross-site-scripting.md (#19860)
1 parent 6d29ce9 commit 32890f1

1 file changed

Lines changed: 11 additions & 9 deletions

File tree

aspnetcore/security/cross-site-scripting.md

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -77,17 +77,18 @@ There may be times you want to insert a value into JavaScript to process in your
7777
injectedData.dataset.untrustedinput;
7878
7979
// Put the injected, untrusted data into the scriptedWrite div tag.
80-
// Do NOT use document.write() on text sourced from attributes as
81-
// unicode escapes will be unescape in document.write() which can lead to XSS.
80+
// Do NOT use document.write() on dynamically generated data as it
81+
// can lead to XSS.
82+
8283
document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle;
8384
8485
// Or you can use createElement() to dynamically create document elements
85-
// This time we're using textContent to ensure the data is not unescaped.
86+
// This time we're using textContent to ensure the data is properly encoded.
8687
var x = document.createElement("div");
8788
x.textContent = clientSideUntrustedInputHtml5;
8889
document.body.appendChild(x);
8990
90-
// You can also use createTextNode on an element to ensure data is not unescaped.
91+
// You can also use createTextNode on an element to ensure data is properly encoded.
9192
var y = document.createElement("div");
9293
y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5));
9394
document.body.appendChild(y);
@@ -116,17 +117,18 @@ The preceding markup generates the following HTML:
116117
injectedData.dataset.untrustedinput;
117118
118119
// Put the injected, untrusted data into the scriptedWrite div tag.
119-
// Do NOT use document.write() on text sourced from attributes as
120-
// unicode escapes will be unescape in document.write() which can lead to XSS.
120+
// Do NOT use document.write() on dynamically generated data as it can
121+
// lead to XSS.
122+
121123
document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle;
122124
123125
// Or you can use createElement() to dynamically create document elements
124-
// This time we're using textContent to ensure the data is not unescaped.
126+
// This time we're using textContent to ensure the data is properly encoded.
125127
var x = document.createElement("div");
126128
x.textContent = clientSideUntrustedInputHtml5;
127129
document.body.appendChild(x);
128130
129-
// You can also use createTextNode on an element to ensure data is not unescaped.
131+
// You can also use createTextNode on an element to ensure data is properly encoded.
130132
var y = document.createElement("div");
131133
y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5));
132134
document.body.appendChild(y);
@@ -143,7 +145,7 @@ The preceding code generates the following output:
143145
```
144146

145147
>[!WARNING]
146-
> Do ***NOT*** concatenate untrusted input in JavaScript to create DOM elements or use `document.write()` on data sourced from attributes.
148+
> Do ***NOT*** concatenate untrusted input in JavaScript to create DOM elements or use `document.write()` on dynamically generated content.
147149
>
148150
> Use one of the following approaches to prevent code from being exposed to DOM-based XSS:
149151
> * `createElement()` and assign property values with appropriate methods or properties such as `node.textContent=` or node.InnerText=`.

0 commit comments

Comments
 (0)