Is the following HTML5 method more secure? If so, in what way?

Is the following HTML5?

I see this kind of code throughout the javascript for the multiple applications I need to support.


But I see in this article:

HTML5 comparison to Old way

Instead, I read the new way to code this is by using the dataset:
       data-untrustedinput="@untrustedInput" />

     var injectedData = document.getElementById("injectedData");

     // All clients
     var clientSideUntrustedInputOldStyle =

     // HTML 5 clients only
     var clientSideUntrustedInputHtml5 =

Open in new window

the use of getAttribute() is the old way, not the HTML5 way, as you can see.

My goal is to block XSS URL hacks. Does the HTML5 way close any exposures?

newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
You can't trust anything on the front end (HTML/Javascript). This type of thing needs to be done on the server side. (.NET, PHP etc)
newbiewebSr. Software EngineerAuthor Commented:
Thanks. I am having a very hard time extracting the various URL's created by our own javascript, so that I can nail down the calls to our back-end which might be exposed.

I am literally search through four applications for these flags:


But it feels a bit hopeless.

Is there a way on the C# end to list all C# calls that are exposed? I feel like than means any public or protected action method, and that feels like another wrong tree to start barking up.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
> element.getAttribute("data-ajax-loading-duration")

Let's say you have html
<div id="abc" class="success" data-ajax-loading-duration="3">The duration of ajax loading will be 3 seconds</div>

Open in new window

All that is doing is accessing the "3".  The issue is when you submit that 3 via an ajax (or direct post).  It's on the server side that you want to protect yourself.  Just reading data from a url on the client is not going to be harmful to your server.  

As far as your code, I don't work in c# or .NET.  But you want to look for anywhere data is accepted such as a GET or POST.  I also found this git from searching your code  Keep in mind this is talking about placing data in your html that is generated from the back end.  They are referring to data- attributes and placing data inside that such as the "3"  I mentioned above.  However, if that "3" gets sent back to the server, you still can't trust it and must have code to ensure safety on the back end.

To answer you question here, "Does the HTML5 way close any exposures?"  This is really a back end issue and not front end.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.