Using Chrome Developer tools on
http://palegoldenrod-grown-ibis.gigalixirapp.com/bear_game
it is actually using this code path
}
function createFragmentFromRange(str) {
if (!range) {
range = doc.createRange();
range.selectNode(doc.body);
}
var fragment = range.createContextualFragment(str);
return fragment.childNodes[0];
}
function createFragmentFromWrap(str) {
var fragment = doc.createElement('body');
fragment.innerHTML = str;
return fragment.childNodes[0];
}
/**
* This is about the same
* var html = new DOMParser().parseFromString(str, 'text/html');
and scripts will execute with Range.createContextualFragment
Try this in the console of a fresh tab:
let range = document.createRange()
let fragment = range.createContextualFragment(`<script>alert(1)</script>`)
document.documentElement.appendChild(fragment)
https://bugs.webkit.org/show_bug.cgi?id=12234
2 Likes
