I'm working on a single page webapp. I'm doing the rendering by directly creating DOM nodes. In particular, all user-supplied data is added to the page by creating text nodes with document.createTextNode("user data").
Does this approach avoid any possibility of HTML injection, cross site scripting (XSS), and all the other evil things users could do?
It creates a plain text node, so yes, as far as it goes.
It is possible to create an XSS problem by using an unsafe method to get the data from whatever channel it is being input into to createTextNode though.
e.g. The following would be unsafe:
document.createTextNode('<?php echo $_GET['xss']; ?>');
… but the danger is from the PHP echo, not the JavaScript createTextNode.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 做自己的国王 的文章《Is createTextNode completely safe from HTML inject》','https://www.manongdao.com/article-433378.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}