XSS vulnerability demonstration code - Script not executing as expected

Question

I am working on an educational project to demonstrate a stored XSS vulnerability using JavaScript. However, I'm encountering an issue where the injected script is not executing as expected. I have tried several troubleshooting steps, but I haven't been able to resolve the problem.

Here are the details:

Code: I have created an HTML file with the following code:

<!DOCTYPE html>
<html>
<head>
    <title>Stored XSS Vulnerability Example</title>
</head>
<body>
    <h1>Welcome to the Example Website!</h1>

    <form onsubmit="submitComment(event)">
        <input type="text" id="comment-input">
        <button type="submit">Submit</button>
    </form>

    <div id="comments"></div>

    <script>
        function submitComment(event) {
            event.preventDefault();
            var comment = document.getElementById("comment-input").value;
            var commentElement = document.createElement("p");
            commentElement.innerHTML = comment;
            document.getElementById("comments").appendChild(commentElement);
            eval(comment);
        }
    </script>
</body>
</html>

Issue: When I input a script like <script>alert("This is my malicious script!")</script> into the text box and submit the form, the script is not executing as expected. Instead, it treats the input as plain text and displays it in the comments section without executing the script.

Troubleshooting steps taken:

• Cleared browser cache to ensure I'm loading the latest version of the page.
• Tried different browsers (Chrome and Firefox) to see if the issue persists.
• Checked the browser console for any error messages, but there are no errors displayed.
• Disabled browser extensions to rule out any interference with the script execution.

Expected behavior:

I expect the injected script to execute and display an alert box with the message "This is my malicious script!" when the comments section is rendered. I would greatly appreciate any insights or suggestions you have regarding why the script is not executing as expected. If there are any alternative approaches I can try to demonstrate the XSS vulnerability, I'm open to suggestions.