vulnerabilities of letting user define innerHTML

Let's say I have a <textarea> and <div> element, and when the user puts html, CSS, or开发者_StackOverflow社区 whatever they want), into the textarea, then their input is set as the innerHTML of the <div> element, using javascript.

What are the vulnerabilities of letting the user define the content of a <div> element?

If the content they enter does not leave the page, there is no more risk than them editing the DOM through firebug or the chrome inspector. If you take their input and then display it as is, that is a huge security risk especially when other users are on your website.

Well if you encode the contents so that any javascript that is in there won't execute then it should be safe.

If you don't then a user could upload javascript that would execute the next time another user views that page.

I want to modify my response to take into account @Brigham comments. Escape only works reliably if you are dealing with the the innerHTML of something like a div tab, if you are dealing with using a user generated value as a attribute or within a script tag then escaping/encoding won't work.

I'll refer you to the OWASP XSS guidance (that @Brigham originally brought to my attention) for more information: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Untrusted_Data

The user can do cross-site scripting. It can inject malicious client-side code

Take a look at http://en.wikipedia.org/wiki/Cross-site_scripting

Whatever they want could include a <script> tag which pulls a .js file from their own server. Then if you show that content to another user, the script could do all kinds of things to extract information from the unsuspecting user.