Using innerHTML makes the examples vulnerable to cross-site scripting. To demonstrate, in the current version of the chat room example, one can enter <img src='x' onerror='alert("xss!")'> as a message, and the (arbitrary) javascript will run for all users in the room.
This can be prevented by changing innerHTML to innerText in all instances, which this pull req does.
endel
commented
4 years ago
Using
innerHTMLmakes the examples vulnerable to cross-site scripting. To demonstrate, in the current version of the chat room example, one can enter<img src='x' onerror='alert("xss!")'>as a message, and the (arbitrary) javascript will run for all users in the room.This can be prevented by changing
innerHTMLtoinnerTextin all instances, which this pull req does.