Great stuff. Hello from The Odin Project!

@pendelschabe

Жыл бұрын

Hey

@NadidLinchestein

5 ай бұрын

How's it going? Have you finished

@bashehu

Ай бұрын

Hii from DOM Manipulations and Events

@albertt755

14 күн бұрын

@@bashehu me too bro :D

Explanation for people in a hurry. Clear, objective, and exemplified. You've got another subscriber.

@WebDevSimplified

4 жыл бұрын

Thank you!

The Odin Project brought me here!

@husseinomran1021

Жыл бұрын

me too!

@mikayla3386

Ай бұрын

Same!

@fredymarb

Ай бұрын

@@mikayla3386 good luck in your journey

This is genuinely terrifying...thank you for covering this topic and informing those of us who don't have that in depth knowledge about such security topics..

If you want to use innerHTML,then just encode it before putting inside innerHTML. To encode, just replace '' by '>'. So when it goes in the innerHTML, the browser changes them back to ''.

I really like how this guy makes tutorial videos for teaching (short and simple) and not for view by putting un-necessarily long 10 minute videos. You are doing great work. Thank you!

Clear and concise explanation of how this can be dangerous. Ive been looking around for a while now because I couldn't understand the risk associated, but you did a great job doing it, thanks!

I've seen a bunch of people talk about xss before but you've got a real knack for explaining it simply. Would be great to see more security videos from you!

I don't know what's more amazing... that website.. or that hair...

@areshera4039

2 жыл бұрын

@@SkillUpMobileGaming never gonna let you down

@hdsz7738

2 жыл бұрын

hair, definitely

@AssFaceNFT

2 жыл бұрын

Hello from the other side 🌹🙏🕊

@htx80nerd

5 ай бұрын

Both

Bro even your older content is fire!

Thank you, the first 3 minutes perfectly summarized all my questions

Simple and clear explanation! Thank you!

@WebDevSimplified

5 жыл бұрын

You're welcome!

All those who dislike and hate this video are definitely hackers...thanks for the explanation Kyle

hi there, coming from the odin project

Good explanation. But if one does not put queries in the url then stuff like this doesnt matter, so one could still safely use innerHTML. Generally the client is never safe, because all client code is accessible through dev tools in the browser. So a strong backend protection and safe routing is all it takes to prevent stuff like this.

Odin project keeps sending me to this golden channel.

Thanks @Kyle for simplifying this. You always come up with new interesting topics 💖

@paristar3079

4 жыл бұрын

Your dirty tricks won't work here.

@want-diversecontent3887

4 жыл бұрын

Pari Star javascript:Function(“a”+”lert(1)”)()

@slickwilly691

3 жыл бұрын

fuck you my computer is hacked now

@deansprivatearchive

3 жыл бұрын

Better yet, the alert doesn't even fire as the quotes inside aren't escaped.

@harefeedzieharefidziee4315

3 жыл бұрын

@RajeshKumar Chokkalingam chill, obviously he is in mean of joking.

I prefer to get my coding advice from models. Thank you.

Really simple explanation but it was so clear :) Well done

Awesome tutorial! I'd love to see a intro into Javascript series as well!

@WebDevSimplified

5 жыл бұрын

Thanks. That is something I want to tackle for sure, but I need to plan out exactly how beginner friendly I want to make the videos. I could go as beginner friendly as never programmed before or just explain JavaScript itself and not programming.

@B3ASTM0DE1

5 жыл бұрын

@@WebDevSimplified Yeah that is a tough one to figure out. You never know where people are at in the journey of web development. Personally, I think it would be nice to cover the basic aspects of programming like you mentioned and then dive into Javascript. If they don't want to watch that part they can always skip ahead!

@WebDevSimplified

5 жыл бұрын

@@B3ASTM0DE1 that is kind of my thought as well. I have so many different series ideas and so little time it is tough to choose one to start on.

@Speaks4itself

5 жыл бұрын

Web Dev Simplified Will be waiting

@yadneshkhode3091

4 жыл бұрын

@@WebDevSimplified Can you make video based on Kylie Simpson book you don't know js Or other JavaScript books A person can find basics anywhere on KZread but you won't find industry level JavaScript anywhere So can you please cover that ? You can even make paid course if you like many people will purchase if it's on the level of Kyle Simpson book ( lot of people hate reading books like me and it's more time consuming )

really well explained my friend, subbed

@WebDevSimplified

5 жыл бұрын

Thanks! I really appreciate it.

FANTASTIC. Your teaching skills are crazy good.

This is a great explanation, thank you! Do you have any other videos that talk about securing a website and web server?

“>alert(“Channel Hacked!!!”)

@sreeharisanjeev8271

4 жыл бұрын

Your dirty tricks don't work here

@anarkix6956

4 жыл бұрын

eval(StringtoCharCode());

Thanks so much for doing contents that help people like this one. God bless you

Your video are really awesome, you make web really simplified 🎉

thanks Kyle. This is vital information. I've subbed !

Discord had to patch this thing just a week ago, I mean cmon how has nobody considered it?

Problem is that also innerText is not a a safe method, textContent is a better idea

Great tutorial as always :D

@WebDevSimplified

5 жыл бұрын

Thanks! I really appreciate it.

Legend, subscribed!

@WebDevSimplified

5 жыл бұрын

Thanks!

Great explanation man! You earned a sub!

learned is much here, I think I have to my 7th javascript beginner tutorial

This was very eye-opening... like wow...

Thanks!

@WebDevSimplified

Жыл бұрын

You're welcome!

Umm why didn't you show us how to fix the problem right at the end?? Kinda weird that you stopped on the most important part lol

@DogmaFight

2 жыл бұрын

Yes, was expecting a quick example of how to sanitize the input

Nice tutorial... The short of it sent me here.

wow. thx for this useful and concise video. now I understand Cross Site Scripting

Hi, So you escape on client side or server side?

@WebDevSimplified

5 жыл бұрын

The escaping needs to be done on the server side since it is always possible a user can change something on the client side before it gets sent to the server so when you send it back you need to escape it.

@ravendfj

5 жыл бұрын

@@WebDevSimplified Thanks for the answer!!

@yashojha5033

3 жыл бұрын

Or you can use do escaping when you are actually rendering it in DOM. if server side change is a lot. dompurify npm package does exactly that.

"you may think, what can they do with this?" Have you ever had the infinite error box???

Woah, never knew about IMG tags can be dangerous too. so on error event or any event in the dynamic html and script tags should be removed. got it.

Thank you for a such helpful video!

So how would one sanitize the input? Would you just replace all less than and greater than signs with < > ?

Superb..couldn't be explained better.

@WebDevSimplified

5 жыл бұрын

Thanks!

Hi, I don't fully understand how a person can have access to the cookie data if I open the link on my end, wouldn't the script just be run on my end and only be seen by me? Thanks

@Victor_Marius

3 жыл бұрын

It can send your data from your end to an api/server of theirs (to the malicious end). Afterwards they can use those cookies to log into your account.

My pc just got hacked were I axadently put a script in my URL and some guy almost got my pc but I emailed my local police and they got him

Thank you! On a side note, what is that font that you are using?

Great video! Thank you!

@WebDevSimplified

4 жыл бұрын

You're welcome!

Thank you I am about to finish my web site and I am thinking now I will have to do the same amout of work only for the security its a dangerous world ...

@WebDevSimplified

5 жыл бұрын

Security is really hard, but luckily once you know what to look for it is pretty easy to avoid those traps.

@web dev simplified I see other videos and they start with script tags, why do you say it's not supported ? I think CORS isn't the way to stop XSS issue of sharing cookie information to another server, right ? If so how can we allow/block thirdparty servercalls from client side and who decides it?

Great video. Thanks!

@WebDevSimplified

5 жыл бұрын

You're welcome!

thank you, very helpful

Hello from TOP!

we can stop this by just giving a regex expression though not allowing tag related items

Love this video. I am curious if these filters can be seen from a website if one was to open the developer tools to search these .innerHTML or .innerText elements.

@amyp.575

4 жыл бұрын

Look in the inspect tab then the console tab and look

function safeify(string) { let el = document.createElement('p'); el.innerText = string; return el.innerHTML; }

very nice explanation bro

@WebDevSimplified

4 жыл бұрын

Thank you

I added javascript text to my own website. However, IT does not give any alert. My web app treat it like a plain text instead of JavaScript. What should i do to make my code vulnerable to XSS? cause i need to perform XSS for my cybersecurity class

Sir I request you to built a simple website discussing all security issues

Thank you!

Very cool great video dude

@WebDevSimplified

5 жыл бұрын

Thanks!

You are life saver.

Thank you 🙏🏻

i dont get it? you can insert into html easy and get the same information too? just click inspect in chrome and put that in

@bryceblazegamingyt9741

Жыл бұрын

You can't send other people your inspected website.

Do you have a course on Javascript?

@WebDevSimplified

5 ай бұрын

Yep. javascriptsimplified.com

I tried to test with your HTML CSS JS code in Codepen, nothing works.

So what about link sharing ? If I want my website to be able to support web url/link sharing what can I do ? If I use innerHTML then it won't understand a website url as links. Any idea ?

why don't you use a pattern for avoid xss attack

very great video

I tried this with my site and the alert is not working. I have not sanitize it all and not sure why it is not displaying

Hello friend! How are you? I'm Brazilian, a script is running on my sales site. Do you know if there's a way I can block it?

very interesting!

hi again dudee

Why would other websites data be available for this website? This seems like a browser defect, it shouldn't hand cookies and data of other websites

what if im not using innerHTML in a form rather am using it to output data from a php script?

I'd like to learn more about escaping

bro you are awesome..

bro recently iw as just using a normal stranger chat page in google and a person did this like showing big running charectors and all....and he told he is doing html injection.....what should i do???? should he have harmed me????say bro....suddenly my replies went also changed in that site..i then disconnected and stopped.....help me bro..how to check that im secure

Awesome !

what if i use post method using jquery for this work?

That spot on your camera man. I kept swiping my screen for 5 mins😭

2:00 magic!

Thanks bro

Hi, can you tell me how to prevent xss in perl ?

You can see cookies in console if you type alert(document.cookie);

That Website is Very Very Vulnerable to SQL injection And Cross Site Script

Amazing!

@WebDevSimplified

5 жыл бұрын

Thanks!

Looking for Js decoraters

Nice like animation.

hey guys can anyeone help with a a java script site just like this one so i can practice?

Not correct information. You'll need to sanitize the text on the server. You can't trust the client. Anyone can open the developer tools and change `innerText` to `innerHTML`.

@shaheerDev

Жыл бұрын

but then thats the users fault, not the site

@bryceblazegamingyt9741

Жыл бұрын

While you can change inner text to innerHTML, you can't change it for other people you send the links to.

subscribed

Cross site scripting:normal poo HTML searching:ugly poo javascript injection:rich poo

Pikaboo, baby Kyle! 😄

Can you please explain difference between using only alert tag against img tag? why did alert tag not inject it while img tag inject it? I dont understand the difference between the too scripts that u have used.

@WebDevSimplified

4 жыл бұрын

When you inject a script tag it will not run since the browser already ran all the script tags for the page. The img tag will run the onerror script though since it will immediately through an error when it is loaded.

@jackr6727

4 жыл бұрын

@@WebDevSimplified Sorry still didn't get...since the browser already ran all the script tags?

@WebDevSimplified

4 жыл бұрын

@@jackr6727 That is correct. It already parsed and ran all the script tags and will not run the newly imported script tag.

@jackr6727

4 жыл бұрын

@@WebDevSimplified It already parsed and ran all the script tags ? How is it already parsed? I am talking abt general difference between the 2 scrips. Not related to your video or website that you have used for demo

@WebDevSimplified

4 жыл бұрын

@@jackr6727 What do you mean?

that is amazing

Any examples of a good sanatize/escape functiom I can run for showing (e.g.) an user his details in his profile page as they are all user input.

@WebDevSimplified

5 жыл бұрын

Just make sure you don't use innerHTML with any of the data and you will be fine. You can easily test this to make sure it works, by entering valid HTML and submitting that to see if it is injected or not.

@MisterOptimous

5 жыл бұрын

@@WebDevSimplified I've actually always thought XSS is a thing I should be careful with when programming backend, and also I use jQuery so I guess the equivalent would be $().text and $().html

@MisterOptimous

5 жыл бұрын

Thanks for clearing it up though, I shall be more careful writing my frontend js code now.

@MisterOptimous

5 жыл бұрын

@@WebDevSimplified also what about when I use something like eJs, and then write his or her username like or when you use php short tags, that would be vulnerable, would it not? It's something I just thought of.. I am confusion 🤔😀

@WebDevSimplified

5 жыл бұрын

@@MisterOptimous it would be vulnerable if your backend language isn't sanitizing the data before rendering. It depends on your language. An easy way to test would be to just try it and see what your language does. Most should sanatize it.

But didnt you just fetch your own cookie from your own browser, how could you do it for other users?

@NickyDekker89

3 жыл бұрын

In this example, you could create a malicious link to this website and have other users click it, fetch their cookie and send it off to you so you can use it to access their account.