0

For instance:

document.getElementById("test").innerHTML= "<script>document.write('worked')</script>";

The result is:

<div id="test"><script>document.write('worked')</script></div>

i.e no JS is run. Why don't I just make .innerhtml "worked" to start with? This is a question of technical ability. Is it possible to run javascript in the DOM with the given scenario?

Thank you

user1166981
  • 1,738
  • 8
  • 26
  • 44
  • why do you need this for? – Guanxi Jul 19 '13 at 21:18
  • @Guanxi to know if it is possible or not – user1166981 Jul 19 '13 at 21:19
  • I doubt it would work; have you tried it? (you'd need to test in all browsers to be sure). but why would you want to do this anyway? what would it gain you? A script element in the code only exists so that the code can be run... and if you're in a JS context anyway, you can already run the code, so what would be the advantage of putting it into a script tag? – Spudley Jul 19 '13 at 21:21
  • I think you would need to parse the page and eval() the javascript bits – Charlie Brown Jul 19 '13 at 21:24
  • innerHTML is intended to insert HTML, go figure. Therefore your – iGanja Jul 19 '13 at 21:32
  • Still, the answer to your question is: No; and the follow up question is: Why would you want to? – iGanja Jul 19 '13 at 21:38

1 Answers1

3

It's not enough to simply set the innerHTML to something that contains a script tag. You must create a script element and append it to the DOM. I believe the intent is to give some cross site scripting protection when injecting massive blobs of content.

var script = document.createElement('script');
script.innerHTML = "alert('ran some JS');";
document.body.appendChild(script);

Example: http://jsfiddle.net/axvaT/

document.write won't work like you think though. document.write will not place text where the script tag is. Instead it will place text where the HTML parser is currently looking at. Depending on when the JS code is run, these may be the same, or maybe entirely different.

So for this reason, among others, never use document.write for anything. Ever. Even debugging.

Lastly, while sometimes it's useful to inject a script tag pointing to some other js file:

var script = document.createElement('script');
script.src = 'somefile.js';
document.head.appendChild(script);

Doing this with a script tag that has JS in it makes no sense. You are using javascript to create a script tag that should immediately run some javascript. Why not just run that javascript that you want to run away instead of creating a new script tag to do it for you?

So don't do:

var script = document.createElement('script');
script.innerHTML = "alert('ran some JS');";
document.body.appendChild(script);

Instead just do:

alert('ran some JS');
Alex Wayne
  • 178,991
  • 47
  • 309
  • 337
  • Doesn't that have to already be within JS script tags to work though? I am talking about writing code to an inner.html, then that code running instead of being ignored like it does in my example – user1166981 Jul 19 '13 at 21:26
  • If you _really_ want to do this via large innerHTML injection, you must find the script tags and manually eval them. http://stackoverflow.com/questions/1197575/can-scripts-be-inserted-with-innerhtml But really, think about what you are trying to do. I'm quite sure there is a better way that makes this whole question unnecessary. – Alex Wayne Jul 19 '13 at 21:31