By tic


2012-07-27 20:07:37 8 Comments

If I run the following line in Firebug on any page:

document.documentElement.innerHTML="<script>alert(1)</script>";

why isn't the alert command executed?

4 comments

@Brian Layman 2016-06-16 16:27:36

It is always best to use create the elements and append them rather than straight inserting any html using innerhtml.

You can use read more about it here: https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

This fragment works:

var newScript = document.createElement( "script" );
newScript.type = 'text/javascript';
var scriptContent = document.createTextNode( "googletag.cmd.push( function() { googletag.display( '" + encodeURIComponent( divID ) + "' ); } );" ); 
newScript.appendChild( scriptContent ); 

Here is the example in action: https://jsfiddle.net/BrianLayman/4nu667c9/

@apsillers 2012-07-27 20:26:38

It looks like that your <script> tag is being added as you expect, but the code within it is not being executed. The same failure happens if you try using document.head (or any other DOM element, it seems). For whatever reason (possibly standards compliance, possible security), inline code inside of <script> blocks that are added via .innerHTML simply doesn't run.

However, I do have working code that produces similar functionality:

var script = document.createElement('script');
script[(script.innerText===undefined?"textContent":"innerText")] = 'alert(1);';
document.documentElement.appendChild(script);

Here, you add the <script> block with documentElement.appendChild and use textContent or innerText to set the content of the <script>.

@BarryMode 2017-03-28 00:56:23

Nice alternative to eval().

@austincheney 2012-07-27 20:23:51

You don't to do that. In Firebug go to the "Console" tab. You can enter code directly there. Next to the three blue angle brackets at the bottom of the console type this and then hit the enter key: alert("asdf");

@apsillers 2012-07-27 20:46:37

The OP is trying to diagnose why this line of code does not work as expected. The OP almost certainly is already using the Firebug console (where else could (s)he run the following line in Firebug other than the console?).

@axcdnt 2012-07-27 20:17:01

Actually you can use eval but that's not a good practice for security issues. You can do something like this:

var scr = document.createElement('script');
scr.src = 'yourscriptsource';
document.body.appendChild(scr);

Hope it helps!

Related Questions

Sponsored Content

44 Answered Questions

[SOLVED] JavaScript closure inside loops – simple practical example

13 Answered Questions

[SOLVED] How to replace innerHTML of a div using jQuery?

30 Answered Questions

[SOLVED] jQuery scroll to element

64 Answered Questions

[SOLVED] Loop inside React JSX

  • 2014-04-05 05:29:28
  • Ben Roberts
  • 854136 View
  • 1311 Score
  • 64 Answer
  • Tags:   javascript reactjs

28 Answered Questions

[SOLVED] What does "use strict" do in JavaScript, and what is the reasoning behind it?

41 Answered Questions

[SOLVED] Setting "checked" for a checkbox with jQuery

39 Answered Questions

[SOLVED] How do I debug Node.js applications?

54 Answered Questions

13 Answered Questions

[SOLVED] event.preventDefault() vs. return false

Sponsored Content