Un-sanitized User Input In Your JavaScript Is Dangerous

Adam Presley
2 min readNov 30, 2020
Photo by Luis Villasmil on Unsplash

Disclaimer: The following statements are mine, and do not relate to my employer or any of their or my clients. This article is based on a real story, but the details have been changed to protect the original source.

As software engineers we often have a hundred things to consider aside from the code we are writing, be it testing, servers, or deployment. One area that can be easily overlooked is security. I came across the following gem one day when assisting in a security review of an application.

The application in question accepted user input, and at some point in the process would take this input and do some type of concatenation or processing with it into a variable. The security testing team reported a finding and I was asked what the following code would do.

Interestingly enough it will alert! I hadn’t seen that one before. So my next though was, could I do something more sinister, like fetch a remote script or data. So I tried this next.

In the above snippet, notice that I am performing a fetch to a remote resource. In this case I am using a nifty free testing tool called JSON Placeholder. Then, when the response comes back, I’m just writing the result out to the console to see if it worked. Sure enough, it works.

If you run the above CodePen you will get an alert. Then if you expand the console (found on the bottom left) you will see a JSON object that is returned from JSON Placeholder.

When developing software there are many facets to consider, and security should always be one of them. In this case, be wary of un-sanitized user input. Sanitize, sanitize, sanitize.

For more information on secure development practices both NIST and Microsoft offer some great general advice for adopting a secure development lifecycle. Check out the links below, and happy coding!

Adam Presley

Just a guy who loves his wife, kids, and writing software.