Will assigning a value to an input
element that was created with vanilla js cause XSS vulnerabilities?
For example
var inn = document.createElement('input');
//append to parent or body...
var data = request.post(someData) //make some kind of https request with a response.
in.value = data;
CodePudding user response:
No (caveat¹). The value you assign to the value
property of an input
element is solely treated as plain text. Nothing about it is executed.
¹ Caveat: If data
is an object with a custom toString
function, then assigning data
to in.value
will implicitly call that toString
function, which executes code. You seem to be showing data
as the result of doing a POST, though, so I'm going to assume it can't be an object with a custom toString
function.