Creation of XSS vulnerable web page

Question

I want to create a XSS vulnerable web page which execute script entered in input box. Here I have written this code but whenever I enter script nothing happens.

<html>

<head>
</head>

<body>
<script type="text/javascript">
function changeThis(){
    var formInput = document.getElementById('theInput').value;
    document.getElementById('newText').innerHTML = formInput;
    localStorage.setItem("name","Hello world!!!");
}
</script>

<p>You wrote: <span id='newText'></span> </p> 

<input type='text' id='theInput' value='Write here' />
<input type='button' onclick='changeThis()' value='See what you wrote'/>
</body>

</html>

Please help. How should I modify the code?
Update: I was trying to do reflected XSS. According to me if I enter a script in input It should execute. This will happen only when I am not checking that user has entered a valid input or not and taking actions not to execute script.
Here is a web page www.insecurelabs.org/task/Rule1 which is XSS vulnerable when ever I type a script like: <script> alert("hell"); </script> in input field script executes.
I want to know what is the main difference between that and what I am doing?

Answer 1

If you use innerHTML to inject a script tag... the script won't run!

What you could do instead is inject an image with an onload event handler:

<img src="someImage.gif" onload="alert('hacked!')" />

[Update] About your last question: the main difference is that you are using innerHTML, while the insecurelabs page is using jQuery.html(). The jQuery approach will run the script.

Live demo: http://jsfiddle.net/wqqWt/

Answer 2

Just eval the code:

function changeThis(){
    var formInput = document.getElementById('theInput').value;
    eval(formInput);
}