XSS inside the array methods?


 I have one user Inputted place (Search box) in my code

let searchText = document.getElementById('search').value

and that input is used to search inside the array of objects using indexOf method as the following

let searchTextIndex = data.map((obj)=>obj.Artist.toLowerCase()).indexOf(searchText.toLowerCase())

I tried );alert('XSS' to escape the indexOf method but that doesn’t trigger so is it possible to XSS this. What am I missing or need to understand here?

>Solution :

XSS attacks work when the user input is used to generate code.

To take a trivial and unrealistic example:

const userInput = “‘ + doSomethingEvil() ‘“;
const string_to_eval = “alert(‘You said: “ + userInput + “’)”;

The userInput contains quote marks which break out of the string literal the string is intended to be placed inside. The string is then evaluated by eval as code.

More commonly such an attack takes advantage of user input being injected into an HTML document. Here’s a typical PHP example (consider $name to come from $_GET instead of being hard coded).

<?php $name = “<script>doSomethingEvil();</script>”; ?>
<p>Hello <?php echo $name; ?></p>

The code you’ve written never evaluates the userInput as part of code. It’s just data that you manipulate.

(NB: I’m writing this on an iPad which loves typographic quotes; the quote characters in the code examples may be wrong.)

Leave a Reply Cancel reply