Here is the JavaScript code I inject into the page:
javascript:{document.head.innerHTML+='<script>function inject(){alert("hello");}</script>';
document.body.innerHTML+='<button onclick="inject()">Run</button>';}
After running this code in the URL bar, I inspect the source code of the website. Both the button and the function definition are present, however pressing the button does not run the alert as one would expect.
What could be the problem?
Here is the JavaScript code I inject into the page:
javascript:{document.head.innerHTML+='<script>function inject(){alert("hello");}</script>';
document.body.innerHTML+='<button onclick="inject()">Run</button>';}
After running this code in the URL bar, I inspect the source code of the website. Both the button and the function definition are present, however pressing the button does not run the alert as one would expect.
What could be the problem?
Share Improve this question edited Feb 17, 2017 at 14:11 roizpi 3,6684 gold badges29 silver badges36 bronze badges asked Sep 29, 2013 at 13:51 Richard HayesRichard Hayes 1551 gold badge2 silver badges9 bronze badges 6- 3 Because the syntax is pletely wrong – mplungjan Commented Sep 29, 2013 at 13:52
- Probably the site does proper output filtering to prevent XSS attacks. – thefourtheye Commented Sep 29, 2013 at 13:54
-
1
Why would adding some text to the
<head>define a function? What button? Are you really inspecting the source code (because it sounds like you are inspecting the live DOM)? – Quentin Commented Sep 29, 2013 at 13:56 -
You need to inject your JS code into a <script> tag, and you also need to set the button's
onclickprop to "inject()" to bind it. currently you just add your function as clear text. – Alon Amir Commented Sep 29, 2013 at 14:00 - If you want to execute js directly in the browser, the best way is to use the element inspector's web console, which is a built in at least in firefox and chrome... – cyber-guard Commented Sep 29, 2013 at 14:06
2 Answers
Reset to default 8some browsers no longer accept javascript: directly from the location bar, they need you to call the script from a bookmarklet
your syntax smells of wishful thinking. What you try here would never work that way
This syntax:
javascript:(function() { var s = document.createElement("script"); s.src="somejsurl.js";document.getElementsByTagName("head")[0].appendChild(s)})()
might be a better start
To get this to execute, you would need to create an html page with
<a href="javascript:(function() { var s = document.createElement('script'); s.src='somejsurl.js';document.getElementsByTagName('head')[0].appendChild(s)})()">Exec</a>
using single quotes inside the href code and load and drag the "Exec" to the bookmarks
While testing, Chrome and Firefox has a mand line you can use
If you want to create the script and not load it, you would need to inline the script in the button you created:
javascript:(function() { var b = document.createElement("button"); b.onclick=function() { alert('hello')}; b.innerTHML='Hello';})()
Some browsers have decided to limit javascript use in the URL bar for security purposes...