javascript - Failed DOM-based XSS. Inserting script throght innerHTML -

i wanted show students example of dom-base xss attack. thought inserting malicious script innerhtml enough. surprise when insert script seems not invoked.

example here https://jsfiddle.net/vo9baffu/6/ example

my question: possible dom-based xss attack in way presented in example. if not way , should change?

btw. if know examples of dom-based xss please post in comment.

briefly: can't make dom-based xss attack in way presented in example.

you have include jquery in html , use html() method instead. will accomplish ask for, because html() method evaluate code embedded in script tag.

with pure javascript, can't make xss attack, because script insert not execute in cases. happens, because inline script executes when original page parsed.

you can show students xss attack using img tag , error event shown below:

<img src="whatever.png" onerror="alert('xss')" /> 

as shown in fiddle .