Actually impl.createHTMLDocument() returns a document including head and body elements, so you can just do body = document.implementation.createHTMLDocument().body; body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>"; alert(body.innerHTML); Cheers -- G Giorgio Maone wrote, On 16/02/2011 23.40: > gaz Heyes wrote, On 16/02/2011 21.49: >> >> I think the createElement bit is broken in firefox, when you assigned to >> innerHTML it executes without assigning the doc to the dom. > Damn copy & paste, I messed almost everything :) > > This one works on Firefox 4 and Chrome: > > var impl = document.implementation; > var doc = impl.createHTMLDocument(""); > var body = doc.createElement("body"); > body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>"; > alert(body.innerHTML); > > > This one is slightly more complex but works on Fx 3.6 as well > (createHTMLDocument has been introduced in Gecko 2.0): > > var impl = document.implementation; > var doc = impl.createDocument( > "http://www.w3.org/1999/xhtml", "html", impl.createDocumentType( > "html", "-//W3C//DTD HTML 4.01 Transitional//EN", > "http://www.w3.org/TR/html4/loose.dtd" > )); > var body = doc.createElement("body"); > body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>"; > alert(body.innerHTML); > > > Cheers > -- G > > > > >Received on Wednesday, 16 February 2011 23:05:06 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 23:05:07 GMT