Does outerHTML have the same XSS vulnerabilities as innerHTML?

Question

Our company's security scan seems to keep getting hung up on this outerHTML property in swfobject.js:

el.outerHTML = '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"' + att + '>' + par + '</object>';

I'm familiar with the XSS vulnerabilities associated with innerHTML, but can you give me some examples of how outerHTML can be exploited in this case? I'm wondering if the scan is producing a false positive - I would think that the team behind swfobject would have addressed all XSS issues.

Thanks!

Answer 1

If you understand how innerHTML and outerHTML works, you can answer the question for yourself:

• innerHTML replaces all childNodes of the el node with the NodeList that was parsed from the assigned string value.
• outerHTML replaces the node el itself with the NodeList that was parsed from the assigned string value.

An example: if el is the inner div in the following example:

<div id="outer"><div id="inner"> … </div></div>

Then setting innerHTML and outerHTML with <b>foobar</b> results in:

• innerHTML:

  <div id="outer"><div id="inner"><b>foobar</b></div></div>
  

• outerHTML:

  <div id="outer"><b>foobar</b></div>
  

So it doesn’t matter whether you use innerHTML or outerHTML. Both are vulnerable to XSS.