Is it an XSS vulnerability to assign JavaScript variables with untrusted data on the client side?

Question

I want to clarify something about JavaScript variable assignment and XSS vulnerabilities. If the assignment is happening on the client side and not server side, is it open to XSS vulnerabilities? So for example something like this:

//www.test.com/index.html?q=malcious-javascript;
<script>
var x = window.location.search.substr(1);
</script>

Is the assignment of untrusted data a security issue at this point? Noting that this isn't server side assignment.

My understanding is that at this point it wouldn't be a security issue even though it's in the JavaScript context which is considered unsafe. Since it's just a string it can't be broken out of unlike dynamic JavaScript generated on the server side which is sent to the browser and rendered as HTML. So long as the data isn't rendered in an unsafe context without proper escaping strategies for example such as a HTML input value it will be safe to assign untrusted data into a JavaScript variable on the client side.

If my understanding above is wrong and this is an XSS vulnerability, can someone please provide the answer with an actual XSS attack vector so I can see for myself to better understand it's execution.

Answer 1

It's only XSS when it's rendered directly to HTML without any sanitization.

For example, setting user input as innerHTML, or rendering user input directly into an attribute of an element.

Examples of things you shouldn't do with your x :

element.innerHTML = x;

otherElement.innerHTML = '<div><button type="' + x '">Click me</button></div>';

eval(x); // Just avoid eval overall.

What you can do with your x :

element.innerText = x;

otherElement.dataset.url = x;

oneMoreElement.href = x;