Does outerHTML have the same XSS vulnerabilities as innerHTML?
Вопрос
Our company's security scan seems to keep getting hung up on this outerHTML property in swfobject.js:
el.outerHTML = '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"' + att + '>' + par + '</object>';
I'm familiar with the XSS vulnerabilities associated with innerHTML, but can you give me some examples of how outerHTML can be exploited in this case? I'm wondering if the scan is producing a false positive - I would think that the team behind swfobject would have addressed all XSS issues.
Thanks!
Нет правильного решения
Другие советы
If you understand how innerHTML
and outerHTML
works, you can answer the question for yourself:
innerHTML
replaces allchildNodes
of theel
node with theNodeList
that was parsed from the assigned string value.outerHTML
replaces the nodeel
itself with theNodeList
that was parsed from the assigned string value.
An example: if el
is the inner div
in the following example:
<div id="outer"><div id="inner"> … </div></div>
Then setting innerHTML
and outerHTML
with <b>foobar</b>
results in:
innerHTML
:<div id="outer"><div id="inner"><b>foobar</b></div></div>
outerHTML
:<div id="outer"><b>foobar</b></div>
So it doesn’t matter whether you use innerHTML
or outerHTML
. Both are vulnerable to XSS.