Injecting javascript into an alert

Question

I have a function like this where json is a json object that is in this form err: someNumber, and I want to inject javascript into that alert so that maybe i could inject ajax in there or something else, how would I go about doing that?(If it's even possible)

function imageShow(json) {
if (json && 'err' in json && json.err != "" && json.err != "200" && json.err != "OK")
    {
        alert (json.err);
    }
}

For example:

let json.err be { "err" : "<script> alert(\"Hey\");</script> }. and then I could use that alert within the alert.

If not, I have this same function with this Same json data and same everything, but instead of alerting, it changes a picture's source to the json.err: Could I inject something into this?

function imageShow(json) {

if (json && 'err' in json && json.err != "" && json.err != "200" && json.err != "OK")
    {
        $("#img")[0].src = json.err;
    }

}

You write "let `json.err` be `{ "err" : " }`" - did you mean "let `json.err` be `""`"? — Arminius, Apr 21 '18 at 15:39

Arminius · Accepted Answer · 2018-04-21T15:41:27.237

1

The message in an alert() box is always displayed as plain text. You can't inject code here.
Setting the src of an image to a user-controlled value can't lead to XSS, but some other less severe vulnerabilities as explained in this thread.

edited Apr 21 '18 at 15:41

answered Apr 21 '18 at 15:29

Arminius

43,922
13
140
136

Check my edit, I added another thing I hope I can inject – Guysudai1 Apr 21 '18 at 15:32
1

@fdsaddsa I amended my answer, but generally please don't extend your question after receiving answers. Instead, you can ask a new question (after checking that it hasn't been asked before). – Arminius Apr 21 '18 at 15:42

Injecting javascript into an alert

1 Answers1