Skip to content

Instantly share code, notes, and snippets.

@caike
Last active October 6, 2024 09:17
Show Gist options
  • Save caike/35522c3da161d29fc2ce to your computer and use it in GitHub Desktop.
Save caike/35522c3da161d29fc2ce to your computer and use it in GitHub Desktop.
XSS attack demo with innerHTML

Tested with Chrome, Firefox and Safari.

The following code will not trigger an alert. target.innerHTML = "<script> alert('XSS Attack'); </script>";

The following code will trigger an alert. target.innerHTML = "<img src=x onerror=\"alert('XSS Attack')\" >";

@Tomas2D
Copy link

Tomas2D commented Jun 23, 2017

Good note!

@JenningFan
Copy link

good note, but i wanna to know why

@g13n
Copy link

g13n commented Sep 24, 2019

HTML5 specifies that a <script> tag inserted with innerHTML should not execute.
https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML

@imambungo
Copy link

Well, the latter didn't work on GitHub.

@YahyaRechaki
Copy link

the second code won't work, because the src value inside the code target.innerHTML = "<img src=x onerror="alert('XSS Attack')" >"; should be inside quotes ('')

@letmehear159
Copy link

You really saved me! I am trying to demo an xss attack but it did not work with the first way for chrome, the second way works perfectly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment