Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
tieTYT
on May 29, 2014
|
parent
|
context
|
favorite
| on:
Google's XSS game
How
is it doing that?
wasd
on May 29, 2014
|
next
[–]
Using <script> ... as a payload won't work because the browser won't execute scripts added after the page has loaded.
goblin89
on May 30, 2014
|
parent
|
next
[–]
The browser smartly won't execute scripts added
through innerHTML
, but it probably should be noted that jquery's html() method will[0]. There's always a way to shoot yourself in the foot. :)
[0]
http://api.jquery.com/html/
tetrep
on May 29, 2014
|
prev
|
next
[–]
(spoilers!)
https://developer.mozilla.org/en-US/docs/Web/API/Element.inn...
hckr1292
on May 29, 2014
|
prev
[–]
it's not blocking the scripts from being inserted. Inspect the DOM and you'll see them there.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
