Web Security

Wat is XSS (Cross-Site Scripting)?

Aanval door malicious JavaScript in content.

Home/Categorieën/Web Security/Wat is XSS (Cross-Site Scripting)?

XSS types

Stored XSS - malicious script in database Reflected XSS - script in URL parameters DOM-based XSS - JavaScript vulnerability Solution: Sanitize/escape user input

Code Voorbeelden

HTMLXSS beispiele
<!-- VULNERABLE -->
<div id="content"></div>
<script>
  const userInput = '<img src=x onerror="alert('XSS!')">';
  document.getElementById('content').innerHTML = userInput; // EXECUTES SCRIPT!
</script>

<!-- SAFE - Use textContent or DOMPurify -->
<script>
  document.getElementById('content').textContent = userInput; // Treated as text
  
  // Or with DOMPurify
  import DOMPurify from 'dompurify';
  const clean = DOMPurify.sanitize(userInput);
  document.getElementById('content').innerHTML = clean;
</script>

💡 Praktijk Tips

textContent in plaats van innerHTML voor user input. Sanitize met DOMPurify of libraries.

Relevante trefwoorden

XSSsecurityinjection
← Terug naar Web SecurityAlle categorieën →