JavaScript security¶
Best Practices
Avoid eval()/innerHTML – Use textContent or DOMPurify.
CSP Headers – Block inline scripts (script-src ‘self’).
Risks
DOM XSS
Prototype pollution
Example (Safe DOM Manipulation):
// BAD: XSS risk
document.getElementById("output").innerHTML = userInput;
// GOOD: Auto-escaped
document.getElementById("output").textContent = userInput;
Last update:
2025-05-12 14:39