Skip to content

Instantly share code, notes, and snippets.

Last active Oct 2, 2022
What would you like to do?
XSS attack demo with innerHTML

Tested with Chrome, Firefox and Safari.

The following code will not trigger an alert. target.innerHTML = "<script> alert('XSS Attack'); </script>";

The following code will trigger an alert. target.innerHTML = "<img src=x onerror=\"alert('XSS Attack')\" >";

Copy link

Tomas2D commented Jun 23, 2017

Good note!

Copy link

JenningFan commented Feb 26, 2019

good note, but i wanna to know why

Copy link

g13n commented Sep 24, 2019

HTML5 specifies that a <script> tag inserted with innerHTML should not execute.

Copy link

imambungo commented Apr 27, 2020

Well, the latter didn't work on GitHub.

Copy link

YahyaRechaki commented Oct 2, 2022

the second code won't work, because the src value inside the code target.innerHTML = "<img src=x onerror="alert('XSS Attack')" >"; should be inside quotes ('')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment