Update cross-site-scripting.md (#19857)

Rick-Anderson · web-flow · commit 6d29ce9d75de · 2020-09-14T11:45:02.000-10:00
diff --git a/aspnetcore/security/cross-site-scripting.md b/aspnetcore/security/cross-site-scripting.md
@@ -56,84 +56,100 @@ There may be times you want to insert a value into JavaScript to process in your
 
 ```cshtml
 @{
-       var untrustedInput = "<\"123\">";
-   }
+    var untrustedInput = "<script>alert(1)</script>";
+}
 
-   <div
-       id="injectedData"
-       data-untrustedinput="@untrustedInput" />
+<div id="injectedData"
+     data-untrustedinput="@untrustedInput" />
 
-   <script>
-     var injectedData = document.getElementById("injectedData");
+<div id="scriptedWrite" />
+<div id="scriptedWrite-html5" />
 
-     // All clients
-     var clientSideUntrustedInputOldStyle =
-         injectedData.getAttribute("data-untrustedinput");
+<script>
+    var injectedData = document.getElementById("injectedData");
 
-     // HTML 5 clients only
-     var clientSideUntrustedInputHtml5 =
-         injectedData.dataset.untrustedinput;
+    // All clients
+    var clientSideUntrustedInputOldStyle =
+        injectedData.getAttribute("data-untrustedinput");
 
-     document.write(clientSideUntrustedInputOldStyle);
-     document.write("<br />")
-     document.write(clientSideUntrustedInputHtml5);
-   </script>
-   ```
+    // HTML 5 clients only
+    var clientSideUntrustedInputHtml5 =
+        injectedData.dataset.untrustedinput;
 
-This will produce the following HTML
+    // Put the injected, untrusted data into the scriptedWrite div tag.
+    // Do NOT use document.write() on text sourced from attributes as
+    // unicode escapes will be unescape in document.write() which can lead to XSS.
+    document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle;
 
-```html
-<div
-     id="injectedData"
-     data-untrustedinput="&lt;&quot;123&quot;&gt;" />
+    // Or you can use createElement() to dynamically create document elements
+    // This time we're using textContent to ensure the data is not unescaped.
+    var x = document.createElement("div");
+    x.textContent = clientSideUntrustedInputHtml5;
+    document.body.appendChild(x);
 
-   <script>
-     var injectedData = document.getElementById("injectedData");
+    // You can also use createTextNode on an element to ensure data is not unescaped.
+    var y = document.createElement("div");
+    y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5));
+    document.body.appendChild(y);
 
-     var clientSideUntrustedInputOldStyle =
-         injectedData.getAttribute("data-untrustedinput");
+</script>
+   ```
 
-     var clientSideUntrustedInputHtml5 =
-         injectedData.dataset.untrustedinput;
+The preceding markup generates the following HTML:
 
-     document.write(clientSideUntrustedInputOldStyle);
-     document.write("<br />")
-     document.write(clientSideUntrustedInputHtml5);
-   </script>
-   ```
+```html
+<div id="injectedData"
+     data-untrustedinput="&lt;script&gt;alert(1)&lt;/script&gt;" />
 
-Which, when it runs, will render the following:
+<div id="scriptedWrite" />
+<div id="scriptedWrite-html5" />
 
-```
-<"123">
-   <"123">
-```
+<script>
+    var injectedData = document.getElementById("injectedData");
 
-You can also call the JavaScript encoder directly:
+    // All clients
+    var clientSideUntrustedInputOldStyle =
+        injectedData.getAttribute("data-untrustedinput");
 
-```cshtml
-@using System.Text.Encodings.Web;
-   @inject JavaScriptEncoder encoder;
+    // HTML 5 clients only
+    var clientSideUntrustedInputHtml5 =
+        injectedData.dataset.untrustedinput;
 
-   @{
-       var untrustedInput = "<\"123\">";
-   }
+    // Put the injected, untrusted data into the scriptedWrite div tag.
+    // Do NOT use document.write() on text sourced from attributes as
+    // unicode escapes will be unescape in document.write() which can lead to XSS.
+    document.getElementById("scriptedWrite").innerText += clientSideUntrustedInputOldStyle;
 
-   <script>
-       document.write("@encoder.Encode(untrustedInput)");
-   </script>
-```
+    // Or you can use createElement() to dynamically create document elements
+    // This time we're using textContent to ensure the data is not unescaped.
+    var x = document.createElement("div");
+    x.textContent = clientSideUntrustedInputHtml5;
+    document.body.appendChild(x);
 
-This will render in the browser as follows:
+    // You can also use createTextNode on an element to ensure data is not unescaped.
+    var y = document.createElement("div");
+    y.appendChild(document.createTextNode(clientSideUntrustedInputHtml5));
+    document.body.appendChild(y);
 
-```html
-<script>
-    document.write("\u003C\u0022123\u0022\u003E");
 </script>
+   ```
+
+The preceding code generates the following output:
+
+```
+<script>alert(1)</script>
+<script>alert(1)</script>
+<script>alert(1)</script>
 ```
 
 >[!WARNING]
-> Don't concatenate untrusted input in JavaScript to create DOM elements. You should use `createElement()` and assign property values appropriately such as `node.TextContent=`, or use `element.SetAttribute()`/`element[attribute]=` otherwise you expose yourself to DOM-based XSS.
+> Do ***NOT*** concatenate untrusted input in JavaScript to create DOM elements or use `document.write()` on data sourced from attributes.
+>
+> Use one of the following approaches to prevent code from being exposed to DOM-based XSS:
+> * `createElement()` and assign property values with appropriate methods or properties such as `node.textContent=` or node.InnerText=`.
+> * `document.CreateTextNode()` and append it in the appropriate DOM location.
+> * `element.SetAttribute()`
+> * `element[attribute]=`
 
 ## Accessing encoders in code
 
