TL;DR not even assumed sanitized HTML and CSS can be trusted in el.innerHTML or $(el).html(). Increase security by using JavaScript sanitizer like Google Caja.
I would suggest delegating $(el).html(snippet) to separate method and by default using secure implementation via TrueHTML or at least sanitizing the input.
I haven't done enough research on this topic and futher research is necessary. Known affected are old versions of IE (8, 9), Firefox, Chrome. IE 11 XSS filter shows warning even for false positives which might break trust between user and site.
vojtech-dobes
commented
10 years ago
TL;DR not even assumed sanitized HTML and CSS can be trusted in
el.innerHTMLor$(el).html(). Increase security by using JavaScript sanitizer like Google Caja.More info: http://www.nds.rub.de/research/publications/mXSS-Attacks/ http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
Original issue https://github.com/nette/nette/issues/1496
I would suggest delegating
$(el).html(snippet)to separate method and by default using secure implementation via TrueHTML or at least sanitizing the input. I haven't done enough research on this topic and futher research is necessary. Known affected are old versions of IE (8, 9), Firefox, Chrome. IE 11 XSS filter shows warning even for false positives which might break trust between user and site.