21

I'm stuck with this problem:

<body onload="document.body.innerHTML="<script>alert('hi')</script>"">

The problem is that i cant use quotes within quotes within quotes. Any ideas?

j08691
  • 204,283
  • 31
  • 260
  • 272
flimmerkiste
  • 261
  • 1
  • 4
  • 7

4 Answers4

33

To represent a " character inside an HTML attribute delimited by " characters, use the entity &quot;

I'd recommend attaching event listeners using JavaScript rather then using intrinsic event attributes though. It simplifies things greatly.

Note however, that browsers will not execute JavaScript added to the document with innerHTML. If you want to add a script programatically, the use createElement / appendChild et al.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
10
<body onload='document.body.innerHTML="<script>alert(\"hi\")</script>"'>

or

<body onload="document.body.innerHTML='<script>alert(\'hi\')</script>'">

It does work, but the script doesn't get executed because it is added after the browser parsed your code.

Note that if you wanted quotes within quotes within quotes within quotes you would have done: <body onload="document.body.innerHTML='<script>alert(\'\\\'hi\\\'\')</script>'" >

What is really impossible (i think) without &quot; is putting " and ' in the alert.

Alexandre Khoury
  • 3,896
  • 5
  • 37
  • 58
2

You could use a combination of backticks(`), single quotes, and double quotes.

Code:

<body onload="document.body.innerHTML=`<script>alert('hi')</script>`">
KetZoomer
  • 2,701
  • 3
  • 15
  • 43
0

Gah! First off, don't do it that way. :D

Something like:

<body></body>

<script>
    window.onload = function () {
        document.body.innerHTML = "<script>alert('hi')</script>";
    }
</script>

. . . would be better. Consider some JQuery solutions, as well.

Even that specific approach, I wouldn't recommend, but I suspect that you are simply testing out how to add content to the body of your HTML after the page is loaded, rather than actually wanting to use the alert(). ;) If that's the case, try something like this:

<body></body>

<script>
    window.onload = function () {
        document.body.innerHTML = "some text";
        alert('hi'); // if you really want to test that the JS is working after load.
    }
</script>
talemyn
  • 7,822
  • 4
  • 31
  • 52
  • 1
    this doesnt address the problem of "using quotes within quotes within quotes" at all – InsOp May 29 '17 at 09:28
  • @InsOp - Sometimes question titles only capture part of a problem or one way of looking at a problem. The code provided in the original question was not simply an issue of "using quotes within quotes within quotes" . . . the OP was trying to achieve a specific functionality and the multiple levels of quotes were causing him a problem in his approach. One of the several ways to resolve his issue was to remove the logic that was causing a need for all those layers of quotes (the approach that I documented). It may not have answered the question in the title, but it *does* solves his issue. – talemyn May 30 '17 at 15:21
  • 1
    one can clearly see that this is an simplified example so we can address exactly the issue of "using quotes within quotes within quotes" – InsOp Jun 07 '17 at 09:51
  • @InsOp - Just doing what the site guidelines suggest: "Read the question carefully. What, specifically, is the question asking for? Make sure your answer provides that – or a viable alternative. The answer can be “don’t do that”, but it should also include “try this instead”. Any answer that gets the asker going in the right direction is helpful, but do try to mention any limitations, assumptions or simplifications in your answer. Brevity is acceptable, but fuller explanations are better." Others tried to help the OP use the quotes correctly, I tried to help him not have to use them at all. – talemyn Jun 07 '17 at 14:02