Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How is it doing that?


Using <script> ... as a payload won't work because the browser won't execute scripts added after the page has loaded.


The browser smartly won't execute scripts added through innerHTML, but it probably should be noted that jquery's html() method will[0]. There's always a way to shoot yourself in the foot. :)

[0] http://api.jquery.com/html/



it's not blocking the scripts from being inserted. Inspect the DOM and you'll see them there.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: