appending code like this could be a js vulnerability?

        html = `     <div class="ai-message loading">
        <img src="<?php echo get_template_directory_uri()."/assets/images/icon.png"?>">
        <svg class="message-container ai-bg" id="dots" width="66px" height="29px" viewBox="0 0 132 58" version="1.1">
    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" sketch:type="MSPage">
        <g id="dots" sketch:type="MSArtboardGroup" fill="#ffa3fc">
            <circle id="dot1" sketch:type="MSShapeGroup" cx="25" cy="30" r="13"></circle>
            <circle id="dot2" sketch:type="MSShapeGroup" cx="65" cy="30" r="13"></circle>
            <circle id="dot3" sketch:type="MSShapeGroup" cx="105" cy="30" r="13"></circle>
    </div> `;
    return html;

    setTimeout(function() {
    }, delay);

I would like to know if users would be able to modify the html var and make some kind of change in my website permanently

I’m pretty noob with this, the code is working perfectly but I would like to know if this is hackable

>Solution :

Well, yes and no.

Yes, any user with access to development tools (basically all browser users) can just run arbitrary JavaScript code while browsing your website and change how their browser interacts with your website.

But no, this doesn’t "permanently change" your website, because these interactions affect only them: it changes what their browser shows and does.

One caveat (and a potential real security problem): if your site somehow depends on security constraints purely implemented on the client side (such as a password-check that’s just implemented in JS and does not have any server-components), then such a modification can trivially circumvent them.

This is why you must never trust anything that’s being sent by the browser: always verify that the data is valid and the user is authorized to take that action, even if you already do validation like this in the browser (the browser part of that is basically just an optimization to make errors quicker to be shown to the user).

Leave a ReplyCancel reply