Skip to content

Instantly share code, notes, and snippets.

Last active October 2, 2022 14:37
  • Star 10 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
XSS attack demo with innerHTML

Tested with Chrome, Firefox and Safari.

The following code will not trigger an alert. target.innerHTML = "<script> alert('XSS Attack'); </script>";

The following code will trigger an alert. target.innerHTML = "<img src=x onerror=\"alert('XSS Attack')\" >";

Copy link

Tomas2D commented Jun 23, 2017

Good note!

Copy link

good note, but i wanna to know why

Copy link

g13n commented Sep 24, 2019

HTML5 specifies that a <script> tag inserted with innerHTML should not execute.

Copy link

Well, the latter didn't work on GitHub.

Copy link

the second code won't work, because the src value inside the code target.innerHTML = "<img src=x onerror="alert('XSS Attack')" >"; should be inside quotes ('')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment