I have a simple bimple function which echoes this:
echo '<button name="wooba" onclick="alert(this.name)">Say name</button>'
This just works fine, but If a user edits the HTML using a Chrome or Firefox, he can modify the code to output something like:
echo '<button name="wooba" onclick="alert('XSS :D')">Say name</button>'
I have set the only http on the php ini relating the cookies, but is there any way to prevent the user from modifying and successfully changing the site’s javascript?
Thanks!
Advertisement
Answer
Once the document reaches a user’s browser it is theirs to manipulate how they like. This in itself isn’t XSS. An XSS exploit exists when a bad actor can inject a script in other people’s document. In your example, so long as this.name doesn’t come from user input you don’t have a problem.