I'm testing xss attacks on my own code. The example beneath is a simple box where an user can type whatever he wants. After pressing test! button, JS will show the input string into two divs.This is an example I made to explain better my question:
<html>
<script src=http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js></script>
<script type=text/javascript>
function testIt(){
var input = document.getElementById('input-test').value;
var testHtml = document.getElementById('test-html');
var testInnerHTML = document.getElementById('test-innerHTML');
$(testHtml).html(input);
testInnerHTML.innerHTML = input;
}
</script>
<head>this is a test</head>
<body>
<input id=input-test type=text name=foo />
<input type=button onClick=testIt(); value=test!/>
<div id=test-html>
</div>
<div id=test-innerHTML>
</div>
</body>
if you try to copy it into a .html file and run it, it will work fine, but if you try to input <script>alert('xss')</script>
, only one alert box will be thrown: the one inside `test-html' div (with html() function).
I really can't understand why this is happening, and also, inspecting the code with firebug gives me this result (after injecting the script)
<body>
this is a test
<input id=input-test type=text name=foo>
<input type=button value=test! onclick=testIt();>
<div id=test-html> </div>
<div id=test-innerHTML>
<script>
alert('xss')
</script>
</div>
</body>
as you can see test-html
div is empty, and test-innerhtml
div contans the script. Can someone tell me why? Is because html() is more secure against scripts injection or something similar?
Thanks in advance, best regards.