Json.parse not executing script tag

Asked May 25 '16 at 20:26

Active May 25 '16 at 20:26

Viewed 19 times

I have following code

<!DOCTYPE html>
<html>
<body>

<h2>Create Object from JSON String</h2>

<p id="demo"></p>

<script>
var text = '{"employees":[' +
'{"firstName":"John","lastName":"Doe" },' +
'{"firstName":"Anna","lastName":"<script>alert(1)<//script>" },' +
'{"firstName":"Peter","lastName":"Jones" }]}';

obj = JSON.parse(text);
document.getElementById("demo").innerHTML =
obj.employees[1].firstName + " " + obj.employees[1].lastName;
</script>

</body>
</html>

As we all know Json.parse converts string to Javascript object when i try to render the script tag from the java script it's is breaking not executing the script. Any Idea why it's not working.

asked May 25 '16 at 20:26

user1844634

1,221
2
17
35

1

This is by design. It would be a security flaw if this was possible. A better approach would be to store the value to be shown in its own property then call `alert(obj.employees[1].lastname)` after you have parsed the JSON – Rory McCrossan May 25 '16 at 20:27
innerHTML doesn't execute javascript – Travis J May 25 '16 at 20:29
When i try to execute . It's breaking i am expecting to print Anna – user1844634 May 25 '16 at 20:33

Json.parse not executing script tag

0 Answers0