Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| var unsafe_div = window.document.getElementById("vulnerable-div"); | ||
| unsafe_div.innerHTML = "Hello to you "; | ||
| // here's an XSS: | ||
| unsafe_div.innerHTML = "Hello to you " + username; |
Check failure
Code scanning / CodeQL
Client-side cross-site scripting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the DOM-based XSS vulnerability, we must ensure that any user-provided data written to the DOM is properly escaped or encoded. The best way to do this is to avoid using innerHTML for untrusted data and instead use textContent, which automatically escapes any HTML special characters. This preserves the original functionality (displaying a greeting with the username) while preventing XSS. The change should be made in xss-example.js, replacing the assignment to innerHTML with an assignment to textContent. No additional imports or dependencies are required.
| @@ -7,2 +7,2 @@ | ||
| // here's an XSS: | ||
| unsafe_div.innerHTML = "Hello to you " + username; | ||
| unsafe_div.textContent = "Hello to you " + username; |
2 participants
No description provided.