why is this not xss vulnerable?

Question

I'm trying to make a small XSS-demo for myself, but it's not working as expected. I have an input-box and a button. Clicking the button displays the value of the input-box in a div. This is the callback I wrote for onclick:

var showInput = function()
{
var field = document.getElementById("field1");
var box = document.getElementById("displayArea");
box.innerHTML = field.value;
}

When I type in < script>alert("XSS!");< /script> in the box and click the button, nothing is shown and nothing happens. Am I understanding XSS wrong? Can anyone give a simple example of something that would be vulnerable?

Answer 1

Your original code still has a DOM-based XSS. Modern browsers do not execute script tags when they are assigned to innerHTML. They are still vulnerable via event handlers, however. For example, if your input was: <img src=nonexistent onerror=alert(1)> then you'd get a popup as you were expecting.

Answer 2

Assigning to .innerHTML does not execute <script> tags. In order to create scripts dynamically, you have to use document.createElement('script').

var script = document.createElement('script');
script.innerHTML = field.value;
box.appendChild(script);

DEMO

Answer 3

This will just insert the code in the page "temporarily" and won't execute it. If you reload the page, it won't be anymore in the page source. If you want this to work, you could try to do it with a simple PHP code:

xss.php

<?php
echo $_GET['xss'];
?>

Then if you access to this page with a js code as the get parameter, it would execute the code:

localhost/xss.php?xss=<script>alert('XSS!');</script>

This will work because the script will be "inserted" in your page before it is actually rendered.