I'm working on a single page webapp. I'm doing the rendering by directly creating DOM nodes. In particular, all user-supplied data is added to the page by creating text nodes with document.createTextNode("user data").
Does this approach avoid any possibility of HTML injection, cross site scripting (XSS), and all the other evil things users could do?
I'm working on a single page webapp. I'm doing the rendering by directly creating DOM nodes. In particular, all user-supplied data is added to the page by creating text nodes with document.createTextNode("user data").
Does this approach avoid any possibility of HTML injection, cross site scripting (XSS), and all the other evil things users could do?
Share Improve this question edited Jan 21, 2016 at 15:04 Brian Reischl asked Jul 25, 2012 at 16:39 Brian ReischlBrian Reischl 7,3562 gold badges36 silver badges49 bronze badges2 Answers
Reset to default 17It creates a plain text node, so yes, as far as it goes.
It is possible to create an XSS problem by using an unsafe method to get the data from whatever channel it is being input into to createTextNode though.
e.g. The following would be unsafe:
document.createTextNode('<?php echo $_GET['xss']; ?>');
… but the danger is from the PHP echo, not the JavaScript createTextNode.
Yes, it's XSS safe, as would be using someElement.innerText = "...".
(The sibling answer adds confusion by including the XSS-vulnerable PHP snippet.)