It is silly if the content of `comment` is coming from an external source (e.g. query string). Could you identify a specific jQuery vulnerability that makes otherwise safe code unsafe?
I wouldn't say that jQuery has a vulnerability, but it having tons of APIs that have an overloard supporting injecting HTML from a string make it easy to write vulnerable code (compare to React where the only way to inject HTML from a string requires using a very explicit API involving typing "unsafe") and hard to identify vulnerable code (I can't easily ctrl-f through a codebase for easy-to-misuse functions because most of the calls will be calls to safer-element-taking overloads that I can only identify by following the code backwards).
This example will only affect that particular user viewing the page, though. And once they hit refresh, that'll be gone.
If I'm following your other example with malicious input into a form; the snippet would have to pass server-side validation (likely, since it's probably checking for SQL injects). Then past that, when it gets rendered for other users, the view/templating would need to display the snippet as a script instead of just text, right?
(btw, I didn't downvote you; your question is quite legitimate. I upvoted you to restore balance to nature ;))
> This example will only affect that particular user viewing the page, though. And once they hit refresh, that'll be gone.
No, that wouldn't be an effective XSS. You highlighted an effective XSS in your follow-on statements.. basically, it needs to be saved on the server and then displayed to another user. At that point, you can attack them and steal whatever you like.
An effective XSS would be a form that doesn't validate input looking for XSS attacks specifically (on the server side, or on the client side before re-display, such as via my safify.js library). For example, if HN let me paste that in and didn't translate < to < before display, my <script>alert(1);</script> would be actually executed as soon as it was displayed on screen (more correctly, attached to the DOM). This is a really important point ... it's the core of understanding what XSS really is.
> Then past that, when it gets rendered for other users, the view/templating would need to display the snippet as a script instead of just text, right?
No, unfortunately -- the view would just have to display it even as plain text. I'm guessing here that you're saying the entire page is displayed as an html template via jinja or something, rather than being pulled in with AJAX. AJAX is almost certainly going to be XSS'able unless you take steps. If you're using an HTML templater, it might sanitize/encode the HTML for you, but only if it knows that it's supposed to do that and that it's not part of your normal HTML. (In other words, most templaters would probably just stick the <script> tag right in the middle of all of the other HTML, and the browser will just try to parse and interpret anything that looks like HTML and ignore all the rest as noise.)
To continue with your thoughts..
1) attacker leaves comment in field
2) comment can be validated on server prior to sql injection, or not. that doesn't matter unless it's looking specifically for XSS vectors.
3) when comment is provided back to the client, it's displayed on screen using regular jquery calls. there's nothing wrong with using those jquery calls (any more than directly manipulating the DOM or using standard javascript); you just have to know what you're doing and sanitize the text. (i.e., this isn't referring to a specific vuln in jquery or javascript at all.)
4) most importantly, the view/templating does NOT need to "display" snippet as script. this is the key point. As soon as it's attached to the DOM, it becomes HTML.
You can try it out right here. Open up devtools (press f12) and paste this into the console tab:
var comment = "<script>alert(1)</script>";
$("body").append(comment);
Thanks for the upvote, but a bigger thanks for coming back to answer my question so thoroughly. :)
> If you're using an HTML templater, it might sanitize/encode the HTML for you, but only if it knows that it's supposed to do that and that it's not part of your normal HTML.
Yeah this was my larger concern. I'm never blindly appending user-submitted input into the DOM, but doing it through a templater like Handlebars.
