0

I have a simple bimple function which echoes this:

echo '<button name="wooba" onclick="alert(this.name)">Say name</button>'

This just works fine, but If a user edits the HTML using a Chrome or Firefox, he can modify the code to output something like:

echo '<button name="wooba" onclick="alert('XSS :D')">Say name</button>'

I have set the only http on the php ini relating the cookies, but is there any way to prevent the user from modifying and successfully changing the site's javascript?

Thanks!

Improve this question
3
  • 5
    A user manually editing code which has already been output to the browser is not XSS. There's nothing you can do about it, but equally it should not do any harm (XSS-wise) because they're only messing with their own copy of the page, it doesn't affect anything on the server. Are you really asking about the user just editing the code with the developer tools, or about a different scenario? Commented May 10, 2021 at 13:38
  • Exactly that, the user editing the code from my page with his developer tools. @ADyson I think I have misunderstood basic XSS principles. Commented May 10, 2021 at 13:39
  • Yes. XSS occurs when some input from one user manages to affect the behaviour of the page for a different user and/or affect a different application. Commented May 10, 2021 at 13:42

1 Answer 1

Reset to default
1

Once the document reaches a user's browser it is theirs to manipulate how they like. This in itself isn't XSS. An XSS exploit exists when a bad actor can inject a script in other people's document. In your example, so long as this.name doesn't come from user input you don't have a problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! @Andrew Gillis that was it.
No problem. It's better to ask yourself these questions than to assume it's safe. Keep a special eye out for the OWASP Top 10.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.