Skip to content

Instantly share code, notes, and snippets.

@caike
Last active October 2, 2022 14:37
Embed
What would you like to do?
XSS attack demo with innerHTML

Tested with Chrome, Firefox and Safari.

The following code will not trigger an alert. target.innerHTML = "<script> alert('XSS Attack'); </script>";

The following code will trigger an alert. target.innerHTML = "<img src=x onerror=\"alert('XSS Attack')\" >";

@Tomas2D
Copy link

Tomas2D commented Jun 23, 2017

Good note!

@JenningFan
Copy link

good note, but i wanna to know why

@g13n
Copy link

g13n commented Sep 24, 2019

HTML5 specifies that a <script> tag inserted with innerHTML should not execute.
https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML

@imambungo
Copy link

Well, the latter didn't work on GitHub.

@YahyaRechaki
Copy link

the second code won't work, because the src value inside the code target.innerHTML = "<img src=x onerror="alert('XSS Attack')" >"; should be inside quotes ('')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment