Skip to content

Instantly share code, notes, and snippets.

@caike
Last active October 2, 2022 14:37
  • Star 10 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save caike/35522c3da161d29fc2ce to your computer and use it in GitHub Desktop.
XSS attack demo with innerHTML

Tested with Chrome, Firefox and Safari.

The following code will not trigger an alert. target.innerHTML = "<script> alert('XSS Attack'); </script>";

The following code will trigger an alert. target.innerHTML = "<img src=x onerror=\"alert('XSS Attack')\" >";

@imambungo
Copy link

Well, the latter didn't work on GitHub.

@YahyaRechaki
Copy link

the second code won't work, because the src value inside the code target.innerHTML = "<img src=x onerror="alert('XSS Attack')" >"; should be inside quotes ('')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment