innerHTML and eval - Javascript/Ajax attacks - 101
Just to round up a discussion I was having with some AJAX developers regarding the use of the eval() function and innerHTML function in javascript.
These functions are comminly used to populate dynamic sections of a web page without reloading the page itself (Web 2.0 as the spindoctors call it).
so if we have a simple javascript function that rewrites text displayed depending on what the user typed in:
<HTML>
<script type=”text/javascript”>
function changeInput()
{
var userInput = document.getElementById(’userInput’).value;
document.getElementById(’elementXYZ’).innerHTML = userInput; }
</script>
<p>Welcome to the page <b id=’elementXYZ’>dude</b> </p>
<input type=’text’ id=’userInput’ value=’Enter Text Here’ />
<input type=’button’ onclick=’changeInput()’ value=’Change Text’/>
</HTML>
So a few problems here, innerHTML shall display the existing sub-tags of the input received also. To make this post short and sweet (I actually need to do some real work) if we input script using the evil eval() method we can commit XSS; Such as
<a onmouseover = eval(’alert(”hi”)’)>mouse over me </a>
The javascript method eval(STRING) causes the string inputted to be evalusted as script. The takes care of the need to use “<” ,” >” and the likes.