I would like to know if there are security issues when setting the values of form fields directly through Javascript. I am absolutely sure that it is safe to do under any circumstances, but I must be absolutely sure, and not sure. So, I ask for your opinion.
What I mean:
Suppose I have an HTML form that contains an input text field with id "txt_Field", and I do the following:
... myvalue = "<script>alert('I am evil');</script>"; document.getElementById("txt_Field").value = myvalue; ...
i.e. I set the value of a form field to a string that is held in a variable without escaping or filtering that string. Of course, this line will actually contain user input with evil things of all kinds.
However, I think it is safe. Does anyone know an example that proves the opposite?
Please note that the issue is not that the value of the unfiltered form field can harm the server when the form data is sent to the server.
I just would like to know if anyone can think of any content in my value that could trick the (modern) browser into weird behavior when the form field values are set this way, or if I misunderstood something very important.
Thank you very much!
source share