Local Storage Example

The Gallery
1

Local Storage Example

What is Local Storage
Local storage is a built in function in JavaScript. It requires no other websites, sign-in’s or anything but a couple lines of code. It stores data on to the device based on what you tell it to store. So the information I store onto the website from one device doesn’t carry over to another device with the same account. Almost like cookies, but better.

It is easy to use
It is super easy to implement into your code, and it is super powerful.

What did I create?
I created this Local Storage Example which allows you to see the last thing you entered from the device onto the website, even if you reload, delete, reopen the tab, it will still remember what you entered. I added comments to every single line of code in the JavaScript and CSS so you could see exactly what each line of code did.

The localstorage feature is incredible and is useful for highscores and much more!

4 Likes
2

neat way of explaining what localStorage is!
btw the “view source” button doesn’t work - it’s linking to the editor for a project called local-storage-example-2, but that doesn’t exist. it should be local-storage-example:

    <!-- This is the "View Source"  button showing this file -->
-    <a href="https://glitch.com/edit/#!/local-storage-example-2"><button>
+    <a href="https://glitch.com/edit/#!/local-storage-example"><button>
    View Source
    </button></a>
3

just noticed, the website is vulnerable to XSS:

Cross-Site Scripting (XSS) is a type of security vulnerability found in web applications that allows attackers to inject malicious scripts into web pages viewed by other users.

Here’s an example:
Using the code <h1>omg xss</h1><img src="<pic link here>" onload="alert('omg xss')"> on the input we would be able to trigger this next time the page is loaded:

(ignore Uni, I just needed an image for this to work)
(ignore Uni, I just needed an image for this to work)1223×842 82.7 KB

(ignore Uni, I just needed an image for this to work)

In this case, preventing XSS is pretty easy. In the script.js, sanitize data before showing it:

- document.getElementById("entered").innerHTML = `The last thing you entered: "${data}"`;
+ document.getElementById("entered").innerHTML = `The last thing you entered: "${data.replace(/</g, "&lt;").replace(/>/g, "&gt;")}"`;

If this isn’t possible, e.g. if you still want HTML elements to show up but don’t want JS running, removing the ability for the attacker to do worse stuff, you could use something like DOMPurify.

If, for example, you were to implement a system where other people would be able to see what you put, e.g. comments, this could get pretty dangerous.

For example, I could steal everyone’s passwords if it had auth, make them perform actions on the website, redirect everyone that opens the website to pictures of cats (or other websites), steal their IPs, etc…

Still if you did not have something like that it could still be dangerous. E.g. if you had a way to pass a string via a URL parameter, I could use that to almost do the same thing, they just had to click on an URL on my website instead of it automatically running when they visit your website.

that escalated quickly

2 Likes
4

What? I am so very confused. Can you simplify that?

1 Like
5

tl;dr: If your website has an XSS vulnerability, that means attackers can execute any code they want on your website - that’s specially bad if your website has something like comments OR the injection can occur via a URL parameter. To solve, sanitize the data by changing this line in your script file:

- document.getElementById("entered").innerHTML = `The last thing you entered: "${data}"`;
+ document.getElementById("entered").innerHTML = `The last thing you entered: "${data.replace(/</g, "&lt;").replace(/>/g, "&gt;")}"`;
6

isn’t this self xss though

2 Likes
7

yeah it’s not that dangerous in this case, but I made the post as more of a guide on what XSS is

8

it’s easier and safer to just set innerText or textContent rather than innerHTML

4 Likes
9

I agree, but sometimes it can be really helpful when, for example, you get a more complex UI where you don’t want to create each element individually or to use ids

10

For this, nothing really needs to be kept secret. This is just a demo. I will look into all of that if I was keeping more important information.

1 Like
11

this is the case not keeping stuff secret, its just XSS btw. I would still recommend using innerText tho.

12

Thanks for the tip!

1 Like
13

Is it just the website that could be damaged or viewers’ computers as well?

1 Like
14

tl;dr: 99.9999999999999999999999999999999999% of the times no, websites are sandboxed

Only the website could be damaged. Websites are sandboxed and usually can’t harm your computer directly (yes, “visiting a website is enough to install malware on ur pc” is a myth). They might try to overload your system (e.g., system-lag.glitch.me), but modern browsers isolate tabs (and extensions) into separate processes to prevent a full browser or system crash.

That’s what this message is about - the website process crashed.

image
image942×507 8.57 KB

15

adding more complexity to this: “visiting a website can’t install malware on your PC” is a security goal of web browsers, but there have been and continue to be bugs that cause major browsers to fail to enforce this

2 Likes
16

yeah that’s why i said “usually”, but you should be safe unless you have the NSA :us::us::us::eagle::eagle::statue_of_liberty:after you.

17

image

did you edit out the “usually”?

1 Like
18

just noticed that sry, added the usually back.

1 Like
19

I am not gonna ignore Uni <3

1 Like
20

Is there something similar to this Local Storage that I can use that doesn’t require a lot of work and is more secure?