This is genuinely terrifying...thank you for covering this topic and informing those of us who don't have that in depth knowledge about such security topics..
Good explanation. But if one does not put queries in the url then stuff like this doesnt matter, so one could still safely use innerHTML. Generally the client is never safe, because all client code is accessible through dev tools in the browser. So a strong backend protection and safe routing is all it takes to prevent stuff like this.
Clear and concise explanation of how this can be dangerous. Ive been looking around for a while now because I couldn't understand the risk associated, but you did a great job doing it, thanks!
I've seen a bunch of people talk about xss before but you've got a real knack for explaining it simply. Would be great to see more security videos from you!
Thanks. That is something I want to tackle for sure, but I need to plan out exactly how beginner friendly I want to make the videos. I could go as beginner friendly as never programmed before or just explain JavaScript itself and not programming.
@@WebDevSimplified Yeah that is a tough one to figure out. You never know where people are at in the journey of web development. Personally, I think it would be nice to cover the basic aspects of programming like you mentioned and then dive into Javascript. If they don't want to watch that part they can always skip ahead!
@@WebDevSimplified Can you make video based on Kylie Simpson book you don't know js Or other JavaScript books A person can find basics anywhere on RUclips but you won't find industry level JavaScript anywhere So can you please cover that ? You can even make paid course if you like many people will purchase if it's on the level of Kyle Simpson book ( lot of people hate reading books like me and it's more time consuming )
Hi, I don't fully understand how a person can have access to the cookie data if I open the link on my end, wouldn't the script just be run on my end and only be seen by me? Thanks
Love this video. I am curious if these filters can be seen from a website if one was to open the developer tools to search these .innerHTML or .innerText elements.
bro recently iw as just using a normal stranger chat page in google and a person did this like showing big running charectors and all....and he told he is doing html injection.....what should i do???? should he have harmed me????say bro....suddenly my replies went also changed in that site..i then disconnected and stopped.....help me bro..how to check that im secure
Just make sure you don't use innerHTML with any of the data and you will be fine. You can easily test this to make sure it works, by entering valid HTML and submitting that to see if it is injected or not.
@@WebDevSimplified I've actually always thought XSS is a thing I should be careful with when programming backend, and also I use jQuery so I guess the equivalent would be $().text and $().html
@@WebDevSimplified also what about when I use something like eJs, and then write his or her username like or when you use php short tags, that would be vulnerable, would it not? It's something I just thought of.. I am confusion 🤔😀
@@MisterOptimous it would be vulnerable if your backend language isn't sanitizing the data before rendering. It depends on your language. An easy way to test would be to just try it and see what your language does. Most should sanatize it.
In this example, you could create a malicious link to this website and have other users click it, fetch their cookie and send it off to you so you can use it to access their account.
If you want to use innerHTML,then just encode it before putting inside innerHTML. To encode, just replace '' by '>'. So when it goes in the innerHTML, the browser changes them back to ''.
The escaping needs to be done on the server side since it is always possible a user can change something on the client side before it gets sent to the server so when you send it back you need to escape it.
I really like how this guy makes tutorial videos for teaching (short and simple) and not for view by putting un-necessarily long 10 minute videos. You are doing great work. Thank you!
I added javascript text to my own website. However, IT does not give any alert. My web app treat it like a plain text instead of JavaScript. What should i do to make my code vulnerable to XSS? cause i need to perform XSS for my cybersecurity class
So what about link sharing ? If I want my website to be able to support web url/link sharing what can I do ? If I use innerHTML then it won't understand a website url as links. Any idea ?
@web dev simplified I see other videos and they start with script tags, why do you say it's not supported ? I think CORS isn't the way to stop XSS issue of sharing cookie information to another server, right ? If so how can we allow/block thirdparty servercalls from client side and who decides it?
coming from odin project "Trust the process-look how far you've already come! You've made incredible progress, and there's so much more ahead waiting for you. Keep pushing forward; you're on the right path to be an amazing web developer!"
Great stuff. Hello from The Odin Project!
Hey
How's it going? Have you finished
Hii from DOM Manipulations and Events
@@bashehu me too bro :D
This is genuinely terrifying...thank you for covering this topic and informing those of us who don't have that in depth knowledge about such security topics..
The Odin Project brought me here!
me too!
Same!
@@mikayla3386 good luck in your journey
Good explanation. But if one does not put queries in the url then stuff like this doesnt matter, so one could still safely use innerHTML.
Generally the client is never safe, because all client code is accessible through dev tools in the browser.
So a strong backend protection and safe routing is all it takes to prevent stuff like this.
Clear and concise explanation of how this can be dangerous. Ive been looking around for a while now because I couldn't understand the risk associated, but you did a great job doing it, thanks!
I've seen a bunch of people talk about xss before but you've got a real knack for explaining it simply. Would be great to see more security videos from you!
I don't know what's more amazing... that website.. or that hair...
@@SkillUpMobileGaming never gonna let you down
hair, definitely
Hello from the other side 🌹🙏🕊
Both
Thank you, the first 3 minutes perfectly summarized all my questions
Simple and clear explanation! Thank you!
You're welcome!
hi there, coming from the odin project
Your dirty tricks won't work here.
Pari Star
javascript:Function(“a”+”lert(1)”)()
fuck you my computer is hacked now
Better yet, the alert doesn't even fire as the quotes inside aren't escaped.
@RajeshKumar Chokkalingam chill, obviously he is in mean of joking.
really well explained my friend, subbed
Thanks! I really appreciate it.
Really simple explanation but it was so clear :) Well done
FANTASTIC. Your teaching skills are crazy good.
I prefer to get my coding advice from models. Thank you.
Awesome tutorial! I'd love to see a intro into Javascript series as well!
Thanks. That is something I want to tackle for sure, but I need to plan out exactly how beginner friendly I want to make the videos. I could go as beginner friendly as never programmed before or just explain JavaScript itself and not programming.
@@WebDevSimplified Yeah that is a tough one to figure out. You never know where people are at in the journey of web development. Personally, I think it would be nice to cover the basic aspects of programming like you mentioned and then dive into Javascript. If they don't want to watch that part they can always skip ahead!
@@LeHuffy that is kind of my thought as well. I have so many different series ideas and so little time it is tough to choose one to start on.
Web Dev Simplified
Will be waiting
@@WebDevSimplified Can you make video based on Kylie Simpson book you don't know js
Or other JavaScript books
A person can find basics anywhere on RUclips but you won't find industry level JavaScript anywhere
So can you please cover that ? You can even make paid course if you like many people will purchase if it's on the level of Kyle Simpson book ( lot of people hate reading books like me and it's more time consuming )
Thanks so much for doing contents that help people like this one. God bless you
“>alert(“Channel Hacked!!!”)
Your dirty tricks don't work here
eval(StringtoCharCode());
Legend, subscribed!
Thanks!
Your video are really awesome, you make web really simplified 🎉
Great explanation man! You earned a sub!
Umm why didn't you show us how to fix the problem right at the end?? Kinda weird that you stopped on the most important part lol
Yes, was expecting a quick example of how to sanitize the input
learned is much here, I think I have to my 7th javascript beginner tutorial
Thank you for a such helpful video!
This was very eye-opening... like wow...
So how would one sanitize the input? Would you just replace all less than and greater than signs with < > ?
wow. thx for this useful and concise video. now I understand Cross Site Scripting
"you may think, what can they do with this?" Have you ever had the infinite error box???
Hi, I don't fully understand how a person can have access to the cookie data if I open the link on my end, wouldn't the script just be run on my end and only be seen by me? Thanks
It can send your data from your end to an api/server of theirs (to the malicious end). Afterwards they can use those cookies to log into your account.
Thank you! On a side note, what is that font that you are using?
My pc just got hacked were I axadently put a script in my URL and some guy almost got my pc but I emailed my local police and they got him
Sir I request you to built a simple website discussing all security issues
Love this video. I am curious if these filters can be seen from a website if one was to open the developer tools to search these .innerHTML or .innerText elements.
Look in the inspect tab then the console tab and look
thank you, very helpful
I tried this with my site and the alert is not working. I have not sanitize it all and not sure why it is not displaying
You are life saver.
Thank you 🙏🏻
i dont get it? you can insert into html easy and get the same information too? just click inspect in chrome and put that in
You can't send other people your inspected website.
I'd like to learn more about escaping
very nice explanation bro
Thank you
what if im not using innerHTML in a form rather am using it to output data from a php script?
what if i use post method using jquery for this work?
Hi, can you tell me how to prevent xss in perl ?
Awesome !
very interesting!
2:00 magic!
You can see cookies in console if you type alert(document.cookie);
Why would other websites data be available for this website? This seems like a browser defect, it shouldn't hand cookies and data of other websites
bro recently iw as just using a normal stranger chat page in google and a person did this like showing big running charectors and all....and he told he is doing html injection.....what should i do???? should he have harmed me????say bro....suddenly my replies went also changed in that site..i then disconnected and stopped.....help me bro..how to check that im secure
That spot on your camera man. I kept swiping my screen for 5 mins😭
That Website is Very Very Vulnerable to SQL injection And Cross Site Script
Thanks bro
Looking for Js decoraters
hi again dudee
subscribed
Any examples of a good sanatize/escape functiom I can run for showing (e.g.) an user his details in his profile page as they are all user input.
Just make sure you don't use innerHTML with any of the data and you will be fine. You can easily test this to make sure it works, by entering valid HTML and submitting that to see if it is injected or not.
@@WebDevSimplified I've actually always thought XSS is a thing I should be careful with when programming backend, and also I use jQuery so I guess the equivalent would be $().text and $().html
Thanks for clearing it up though, I shall be more careful writing my frontend js code now.
@@WebDevSimplified also what about when I use something like eJs, and then write his or her username like or when you use php short tags, that would be vulnerable, would it not? It's something I just thought of.. I am confusion 🤔😀
@@MisterOptimous it would be vulnerable if your backend language isn't sanitizing the data before rendering. It depends on your language. An easy way to test would be to just try it and see what your language does. Most should sanatize it.
Robinson Amy Thompson Sharon Thomas James
that is amazing
bart simpson
Ek like to banta h
wow
But didnt you just fetch your own cookie from your own browser, how could you do it for other users?
In this example, you could create a malicious link to this website and have other users click it, fetch their cookie and send it off to you so you can use it to access their account.
Explanation for people in a hurry. Clear, objective, and exemplified. You've got another subscriber.
Thank you!
Simple and clear explanation! Thank you!
If you want to use innerHTML,then just encode it before putting inside innerHTML.
To encode, just replace '' by '>'.
So when it goes in the innerHTML, the browser changes them back to ''.
Odin project keeps sending me to this golden channel.
Bro even your older content is fire!
All those who dislike and hate this video are definitely hackers...thanks for the explanation Kyle
Problem is that also innerText is not a a safe method, textContent is a better idea
Discord had to patch this thing just a week ago, I mean cmon how has nobody considered it?
Hi, So you escape on client side or server side?
The escaping needs to be done on the server side since it is always possible a user can change something on the client side before it gets sent to the server so when you send it back you need to escape it.
@@WebDevSimplified Thanks for the answer!!
Or you can use do escaping when you are actually rendering it in DOM. if server side change is a lot. dompurify npm package does exactly that.
Thanks @Kyle for simplifying this. You always come up with new interesting topics 💖
Do you have a course on Javascript?
Yep. javascriptsimplified.com
This is a great explanation, thank you!
Do you have any other videos that talk about securing a website and web server?
I really like how this guy makes tutorial videos for teaching (short and simple) and not for view by putting un-necessarily long 10 minute videos.
You are doing great work. Thank you!
I tried to test with your HTML CSS JS code in Codepen, nothing works.
why don't you use a pattern for avoid xss attack
Cross site scripting:normal poo
HTML searching:ugly poo
javascript injection:rich poo
Great tutorial as always :D
Thanks! I really appreciate it.
Thanks!
You're welcome!
Love u xD
I added javascript text to my own website. However, IT does not give any alert. My web app treat it like a plain text instead of JavaScript. What should i do to make my code vulnerable to XSS? cause i need to perform XSS for my cybersecurity class
function safeify(string) {
let el = document.createElement('p');
el.innerText = string;
return el.innerHTML;
}
hey man your face is covered by the wds symbol
Thanks for the heads up. I removed it and it should take effect within the next few hours or so.
Hello friend! How are you? I'm Brazilian, a script is running on my sales site. Do you know if there's a way I can block it?
we can stop this by just giving a regex expression though not allowing tag related items
So what about link sharing ? If I want my website to be able to support web url/link sharing what can I do ? If I use innerHTML then it won't understand a website url as links. Any idea ?
@web dev simplified I see other videos and they start with script tags, why do you say it's not supported ?
I think CORS isn't the way to stop XSS issue of sharing cookie information to another server, right ? If so how can we allow/block thirdparty servercalls from client side and who decides it?
coming from odin project "Trust the process-look how far you've already come! You've made incredible progress, and there's so much more ahead waiting for you. Keep pushing forward; you're on the right path to be an amazing web developer!"
Woah, never knew about IMG tags can be dangerous too. so on error event or any event in the dynamic html and script tags should be removed. got it.
Nice like animation.
hey guys can anyeone help with a a java script site just like this one so i can practice?
Nice tutorial... The short of it sent me here.
thanks Kyle. This is vital information. I've subbed !
very great video
Xss = css
Pikaboo, baby Kyle! 😄
bro you are awesome..