Safety considerations when setting form field values via Javascript?
Question
I'd like to know if there are safety concerns when setting form field values directly via Javascript. I am quite sure that it is safe to do so under all circumstances, but I should be absolutely sure instead of quite sure. So, I am asking for your opinions.
What I mean:
Suppose I have an HTML form which contains a text input field with id "txt_Field", and I am doing the following:
...
myvalue = "<script>alert('I am evil');</script>";
document.getElementById("txt_Field").value = myvalue;
...
ie I am setting the value of the form field to a string which is hold in a variable without escaping or filtering that string in any way. Of course, that string actually would contain user generated input with evil things of all kinds.
Nevertheless, I think it is safe to do so. Does anybody know of an example which proves the opposite?
Please note that the question is not if the unfiltered form field value could do harm at the backend when the form data is sent to the server.
I just would like to know if anybody could think of any content in myvalue which could trick a (modern) browser into strange behavior when form field values are set this way, or if I have generally misunderstood something very important.
Thank you very much!
1 answers
solution1
-1 2015-08-08 20:03:38
I think it's safe, because to run your code - you should use an eval() method. And of course it's absolutely safe!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.