Setting innerHTML using script inside

Question

Setting innerHTML using script inside

If I run the following line in Firebug on any page:

document.documentElement.innerHTML="<script>alert(1)</script>";

why the command is not executed alert?

+5

javascript firebug innerhtml

tic Jul 27 '12 at 20:07

source share

4 answers

eval, . - :

var scr = document.createElement('script');
scr.src = 'yourscriptsource';
document.body.appendChild(scr);

, !

0

axcdnt 27 . '12 20:17

, html innerhtml.

: https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

:

var newScript = document.createElement( "script" );
newScript.type = 'text/javascript';
var scriptContent = document.createTextNode( "googletag.cmd.push( function() { googletag.display( '" + encodeURIComponent( divID ) + "' ); } );" ); 
newScript.appendChild( scriptContent );

Here is an example in action: https://jsfiddle.net/BrianLayman/4nu667c9/

0

Brian layman Jun 16 '16 at 16:27

source share

You must not do this. In Firebug, click the Console tab. You can enter the code right there. Next to the three blue angle brackets at the bottom of the console, type this, and then press enter:alert("asdf");

-4

austincheney Jul 27 '12 at 20:23

source share

apsillers · Accepted Answer · 2012-07-27T20:26:38+0000

It looks like the tag is being <script>added as you expect, but the code inside it is not executing. The same error occurs if you try to use document.head(or any other DOM element, it seems). For some reason (possibly adhering to standards, possible security), inline code inside blocks <script>added through .innerHTMLsimply does not start.

However, I have working code that creates similar functionality:

var script = document.createElement('script');
script[(script.innerText===undefined?"textContent":"innerText")] = 'alert(1);';
document.documentElement.appendChild(script);

<script> documentElement.appendChild textContent innerText <script>.

Setting innerHTML using script inside

More articles: