Skip to content

Instantly share code, notes, and snippets.

@caike
Last active Oct 2, 2022
Embed
What would you like to do?
XSS attack demo with innerHTML

Tested with Chrome, Firefox and Safari.

The following code will not trigger an alert. target.innerHTML = "<script> alert('XSS Attack'); </script>";

The following code will trigger an alert. target.innerHTML = "<img src=x onerror=\"alert('XSS Attack')\" >";

@Tomas2D
Copy link

Tomas2D commented Jun 23, 2017

Good note!

@JenningFan
Copy link

JenningFan commented Feb 26, 2019

good note, but i wanna to know why

@g13n
Copy link

g13n commented Sep 24, 2019

HTML5 specifies that a <script> tag inserted with innerHTML should not execute.
https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML

@imambungo
Copy link

imambungo commented Apr 27, 2020

Well, the latter didn't work on GitHub.

@YahyaRechaki
Copy link

YahyaRechaki commented Oct 2, 2022

the second code won't work, because the src value inside the code target.innerHTML = "<img src=x onerror="alert('XSS Attack')" >"; should be inside quotes ('')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment