0

I'm trying to get certain tags from a HTML string through JQuery. The code goes like this:

var links = $(htmlString).filter("link");

Are there any security issues with this? Particularly, does wrapping the HTML string as a JQuery object run the scripts inside the HTML string? If not, then is there any chance of a script injection attack through this HTML string?

I won't be appending this to any elements, just gonna work with the links variable.

peco
  • 1,411
  • 3
  • 17
  • 38
  • I don't THINK the html is added to the DOM until you add it, via append, or whatever... So, no. But if you did append it, then, yes, it would obviously execute, as this is how jsonp etc works. – evilunix Sep 23 '14 at 15:26
  • 2
    Make a test script, and see! – evilunix Sep 23 '14 at 15:28
  • 1
    If you want to take the high road, use [$.parseHTML()](http://api.jquery.com/jQuery.parseHTML/). It is explicitly documented as ignoring scripts unless you pass `true` in its `keepScripts` argument. – Frédéric Hamidi Sep 23 '14 at 15:39
  • @FrédéricHamidi: In the $.parseHTML() documentation, it's written: "However, it is still possible in most environments to execute script indirectly, for example via the attribute". This is kind of what I'm trying to avoid :( – peco Sep 23 '14 at 16:42
  • @peco, if you filter the markup for `` elements before adding it to the document, as your code snippet seems to imply, `` elements will not trouble you. – Frédéric Hamidi Sep 23 '14 at 16:56
  • Possible duplicate of [html() vs innerHTML jquery/javascript & XSS attacks](http://stackoverflow.com/questions/8318581/html-vs-innerhtml-jquery-javascript-xss-attacks) – Paul Sweatte Nov 22 '15 at 05:40

0 Answers0