Why is this javascript injection attack not working?

Question

I am trying to find the right way to harden my Javascript against code injection attacks.

So, I created what I thought would be a successful code injection:

    document.getElementById("result").innerHTML = "hello <script> alert(0) <\/script> kuku";

Evaluating document.getElementById("result").innerHTML in debugger shows that it did go through:

"hello <script> alert(0) </script> kuku"

So how come there is no alert?

What do you mean, "*it did go through*"? The script seems clearly to no have been evaluated. — Bergi, May 18 '15 at 01:47

score 2 · Answer 1 · answered May 18 '15 at 01:48

2

Setting the .innerHTML to content that includes <script> blocks will never cause the code embedded to be evaluated. That's just how .innerHTML works.

answered May 18 '15 at 01:48

Pointy

405,095
59
585
614

1

This answer is more direct and to the point compared to the one in the duplicate :D – slebetman May 18 '15 at 01:57
Is it true for all browsers? – Irina Rapoport May 18 '15 at 02:11
1

@ТаняТ.: It's true for IE, Safari, Chrome, Netscape, Firefox, Opera and Konqueror. Not sure about the rest. Is that enough for you? – slebetman May 18 '15 at 02:18
1

Of course, NCSA Mosiac never implemented javascript so it's a non-issue for Mosiac. – slebetman May 18 '15 at 02:19

Why is this javascript injection attack not working?

1 Answers1