Modern browsers seem to XSS filter element.innerHTML property

index.html

<button onclick="run()">RUN</button><br>
element
<div class="box" id="foo"></div>
src
<textarea class="box" id="fooSrc"></textarea>

Modern browsers seem to XSS filter element.innerHTML property.markdown

Modern browsers seem to XSS filter element.innerHTML property

A Pen by Estevão Soares dos Santos on CodePen.

License.

script.js

function run() {
  var html = "<a class='some-link' data-bind='click: function(){ someMethod('one', 'two'); }'>two</a>"
  
  document.getElementById('foo').innerHTML = html;
  var foo = document.getElementById('foo').innerHTML;
  document.getElementById('fooSrc').value = foo;
}

style.css

.box {
  display: block;
  width: 30%;
  height: 100px;
  border: 1px solid #ccc;
  background-color: #eee;
}