'XSS - Javascript String

Is it possible to perform an XSS on the following:

<script> var name = "USER_INPUT";</script>

where USER_INPUT is given by the user. I have a filter for USER_INPUT which doesn’t accept < and " characters but accepts &quot. I do not use the variable name in the html and use it only for processing inside the script.

javascriptstringxss


Solution 1:[1]

I think it is important to check the best practices for sanitizing user input for the programming language that you are using.

For example for php you can check this question: What's the best method for sanitizing user input with PHP?

Solution 2:[2]

Under the restrictions you have mentioned there is no immediate risk of XSS. Make sure that any user input with " or < is denied (not just replaced) even better only accept whitelisted characters (e.g [a-zA-Z0-9_ ]). To make sure the variable name is not used for any dangerous processing (like db query) in the future better give it a recognizable name like UNSAFE_name or something.

Solution 3:[3]

If characters like backslashes, newlines, or html comment end tags are allowed, then they can at least break the formatting of the page or cause errors to be thrown, stopping the rest of the script from running.

There is also the risk of it easily becoming vulnerable if an extra variable is added. Like:

<script>var name = "USER_INPUT", name2 = "USER_INPUT2";</script>

Then, if USER_INPUT is \, and USER_INPUT2 is +alert(1)// then this will run a script.

Solution 4:[4]

You can test this payload: &qout; -alert(document.domain)- &quot;

Solution 5:[5]

It depends on what you do with the variable name. If you are going to eval it, than the XSS is possible.

Supportingly, If the user input is alert(1) and you are going to eval it without curing its value. i.e.

eval(name);

Or if you are going to inject the name into the DOM the XSS is possible as well.

Have a look at the below example.

const first = 'Wes';
const User_input = `I love to do evil <img src="http://unsplash.it/100/100?random" onload="alert('you got hacked');" />`;

const html = `
    <h3>${first}</h3>
    <p>${User_input}</p>
`;

const bio = document.body;
bio.innerHTML = html;

But if you are properly sanitizing the user_input you can reduce the chances to XSS attack.

There are ways to sanitize the user_input. How are you sanitizing? Can you Show?

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 enesn
Solution 2 Moti Korets
Solution 3 fgb
Solution 4 Tom
Solution 5

Related Questions

React Router with optional path parameter

How to dynamically update google recaptcha sitekey?

How to dynamically update google recaptcha sitekey?

Remove duplicate in a string - javascript

Remove duplicate in a string - javascript

Searching a string for missing letters of the alphabet in javascript

Searching a string for missing letters of the alphabet in javascript

Searching a string for missing letters of the alphabet in javascript

Find an element in DOM based on an attribute value

Redirecting html page with javascript

Find an element in DOM based on an attribute value

Find an element in DOM based on an attribute value

Redirecting html page with javascript

How to find x and y coordinates of a button while using keyboard navigation?

How to find x and y coordinates of a button while using keyboard navigation?