I was looking at the answer here and got curious if a function I use may be susceptible to XSS. Mostly because of this statement:
Some HTML attributes are inherently dangerous. This includes href, since you can do something like javascript:alert("XSS");. Since you make sure the value will always start with http you should be fine, though. Other examples of dangerous attributes are style and JS event handlers.
In my function you will see that the form action
url and the input value
are both set using jQuery.
$("#test").on("click", function(){
let id = $(this).data("id");
let url = 'test.php';
let form = $('<form method="POST">').attr({"action":url, "target":"_blank"});
let input = $('<input type="text" name="id">').val(id);
$('#page').append(form.append(input));
form.submit();
});
I am setting the input value
to the value of a data
attribute and setting my form action
url. Is this susceptible to XSS?
Edit:
To explain some on where id
is coming from, it is coming from a row that has data-id
as one of its attributes. When a user clicks on this row, the function is triggered. This id
could be altered by using the Inspect tool in browser.