Wednesday, December 2, 2015

javascript functions in html elements


I was wondering today about the following possibility to declare functions in html:

<div id="divid">content</div>

<a href="#" onClick="document.getElementById('divid').setAttribute('style', 'font-weight: bold; color: red; font-size:150%;');" >attack 1</a>
<a href="#" onClick="
var x = function() {
 document.getElementById('divid').setAttribute('style', 'font-weight: bold; color: red; font-size:150%;');
" >attack 2</a>

both versions of the link are really scary... (tested in chrome).

So in server generated code even here HTMLEncoding must be considered to prevent XSS-attacks.

kind regards,

No comments: