Security comparison of eval and innerHTML for clientside javascript?

Question

I\'ve been doing some experimenting with innerHTML to try and figure out where I need to tighten up security on a webapp I\'m working on, and I ran into an interesting injec

Answer 1

innerHTML isn't insecure in and of itself. (Nor is eval, if only used on your code. It's actually more of a bad idea for several other reasons.) The insecurity arises in displaying visitor-submitted content. And that risk applies to any mechanism with which you embed user-content: eval, innerHTML, etc. on the client-side, and print, echo, etc. on the server-side.

Anything you put on the page from a visitor must be sanitized. It doesn't matter a great deal whether you do it when the initial page is being built or added asynchronously on the client-side.

So ... yes, you need to show some care when using innerHTML if you're displaying user-submitted content with it.