Using <script> ... as a payload won't work because the browser won't execute scr... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		wasd on May 29, 2014 \| parent \| context \| favorite \| on: Google's XSS game Using <script> ... as a payload won't work because the browser won't execute scripts added after the page has loaded.

goblin89 on May 30, 2014 [–]

The browser smartly won't execute scripts added through innerHTML, but it probably should be noted that jquery's html() method will[0]. There's always a way to shoot yourself in the foot. :)

[0] http://api.jquery.com/html/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact