<p>I was reading this question with the accepted answer being:</p> <blockquote> <p>Script added by setting the innerHTML property of an element doesn't get executed.</p> </blockquote> <p>But when I try to change the innerHTML of the first <code><script></code> tag in the following code:</p> <pre class="prettyprint"><code><script></script> <script> document.querySelectorAll("script")[0].innerHTML = 'console.log("Test")'; </script> </code></pre> <p>I can see the injected code for the <code><script></code> element being executed (the <code>console.log()</code> function outputs Test).</p> <p>Furthermore if I remove the first empty <code><script></code> tag (thus making the first element <code>[0]</code> refer to the script itself), the script is changed in the DOM, but the code is never executed.</p> <pre class="prettyprint"><code><script> document.querySelectorAll("script")[0].innerHTML = 'console.log("Test")'; </script> </code></pre> <p>What prompts this behaviour?</p>

<p>This is described in Scripting. When the script is being prepared,</p> <ol> <li> <p>At step 2, the "parser-inserted" flag is removed:</p> <blockquote> <p>If the element has its "parser-inserted" flag set, then set <em>was-parser-inserted</em> to true and unset the element's "parser-inserted" flag.</p> </blockquote> </li> <li> <p>At step 4, before restoring the "parser-inserted" flag, the steps are aborted</p> <blockquote> <p>If the element has no <code>src</code> attribute, and its child nodes, if any, consist only of comment nodes and empty <code>Text</code> nodes, then the user agent must abort these steps at this point. The script is not executed.</p> </blockquote> </li> </ol> <p>Therefore, when you modify it, it will be prepared again:</p> <blockquote> <p>When a <code>script</code> element that is not marked as being "parser-inserted" experiences one of the events listed in the following list, the user agent must synchronously prepare the <code>script</code> element:</p> <ul> <li>The <code>script</code> element gets inserted into a document, at the time the node is inserted according to the DOM, after any other <code>script</code> elements inserted at the same time that are earlier in the <code>Document</code> in tree order.</li> <li>The <code>script</code> element is in a <code>Document</code> and a node or document fragment is inserted into the <code>script</code> element, after any <code>script</code> elements inserted at that time.</li> <li>The <code>script</code> element is in a <code>Document</code> and has a <code>src</code> attribute set where previously the element had no such attribute.</li> </ul> </blockquote> <p>Once the script ran, modifying the contents won't execute them, because script preparation will abort:</p> <blockquote> <p>If the <code>script</code> element is marked as having <a href="https://www.w3.org/TR/html5/scripting-1.html#already-started" rel="nofollow">"already started"</a>, then the user agent must abort these steps at this point. The script is not executed.</p> </blockquote>

<p>Very interesting finding indeed!</p> <p>It really seems that empty src-less <code>script</code> element is in some strange state that accepts either content or even new <code>src</code> and interprets them. (Couldn't find a reason for that either. I just have a tiny hint: )</p> <p><strong>It <em>resembles</em> behavior of dynamically inserted script elements.</strong></p> <p>Here is example/proof of your observation and added few more cases for illustration:</p> <p></p> <div class="snippet" data-lang="js" data-hide="true" data-console="true" data-babel="false"> <div class="snippet-code snippet-currently-hidden"> <pre class="prettyprint snippet-code-css lang-css prettyprint-override"><code>script[src]::before, script { display: block; border: 1px solid red; padding: 1em; } script[src]::before, script { content: 'src='attr(src) } button { display: block }</code></pre> <pre class="prettyprint snippet-code-html lang-html prettyprint-override"><code><p>Existing empty script in HTML:</p> <script id="existing"></script> <p>Can be invoked just one of:</p> <button onclick="eval(this.innerText)"> existing.innerHTML='console.log("innerHTML to static")' </button> <button onclick="eval(this.innerText)"> existing.src='data:text/javascript,console.log("src to static")' </button> <p>Dynamically created and inserted script (each creates own, so both work):</p> <button onclick="eval(this.innerText)"> document.body.appendChild(document.createElement('script')).innerHTML='console.log("innerHTML to dynamic")' </button> <button onclick="eval(this.innerText)"> document.body.appendChild(document.createElement('script')).src='data:text/javascript,console.log("src to dynamic")' </button></code></pre> </div> </div> <p>You will have to re-run snippet to see both "static" cases works.</p> <p>(Also there is a blank script containing white-space generated by SO, for whatever reason.)</p> <p>As Laurianti demonstrated, if the script had some (even white-space) content (or <code>src=""</code>), it would not work.</p> <p>Also, in the "dynamic" examples notice that the <code>innerHTML</code> or <code>src</code> value is altered <strong>after</strong> the <code>script</code> element had been inserted to the document. So it is possible to have a blank static or create dynamic script, leave it in the document and set use it long after that.</p> <p>Sorry for not giving a full answer, just wanted to share research and the hint.</p> <hr> <p>(Update removed; Oriol was faster and way more accurate. Phew, glad to see this sorted out!)</p>

Execution of dynamically generated Javascript

I was reading this question with the accepted answer being:

Script added by setting the innerHTML property of an element doesn't get executed.

But when I try to change the innerHTML of the first <script> tag in the following code:

<script></script>
<script>
document.querySelectorAll("script")[0].innerHTML = 'console.log("Test")';
</script>

I can see the injected code for the <script> element being executed (the console.log() function outputs Test).

Furthermore if I remove the first empty <script> tag (thus making the first element [0] refer to the script itself), the script is changed in the DOM, but the code is never executed.

<script>
document.querySelectorAll("script")[0].innerHTML = 'console.log("Test")';
</script>

What prompts this behaviour?

How to dynamically create element in JavaScript?

New elements can be dynamically created in JavaScript with the help of createElement() method. The attributes of the created element can be set using the setAttribute() method.

How to create a div dynamically in JavaScript?

var iDiv = document. createElement('div'); iDiv.id = 'block'; iDiv. className = 'block'; document.

Can dynamically execute JavaScript in electronjs?

Dynamically Execute JavaScript in ElectronJS Last Updated : 08 Jun, 2020 ElectronJS is an Open Source Framework used for building Cross-Platform native desktop applications using web technologies such as HTML, CSS, and JavaScript which are capable of running on Windows, macOS, and Linux operating systems.

When should you avoid creating dynamic functions in your web applications?

Imagine you’re building complex web-based applications and have stored logic in form of code on the server-side environment and wish to generate functions using that logic on the go. One thing to note is apart from these rare situations creating dynamic functions should be avoided as they make the code prone to security and performance issues.

How to create a function from a function object in JavaScript?

The Function object can also be used as a constructor function to create a new function on the fly. The syntax for creating a function from Function Object is as follows: args1, args2,.. argsN are the arguments accepted by the function and body is the string consisting of JavaScript statements that will be executed when the function is called.

Is it possible to create a dynamic function on the fly?

One thing to note is apart from these rare situations creating dynamic functions should be avoided as they make the code prone to security and performance issues. TLDR, The Function object could be used as a constructor function to create dynamic functions on the fly.

This is described in Scripting. When the script is being prepared,

At step 2, the "parser-inserted" flag is removed:

If the element has its "parser-inserted" flag set, then set was-parser-inserted to true and unset the element's "parser-inserted" flag.
At step 4, before restoring the "parser-inserted" flag, the steps are aborted

If the element has no src attribute, and its child nodes, if any, consist only of comment nodes and empty Text nodes, then the user agent must abort these steps at this point. The script is not executed.

Therefore, when you modify it, it will be prepared again:

When a script element that is not marked as being "parser-inserted" experiences one of the events listed in the following list, the user agent must synchronously prepare the script element:

The script element gets inserted into a document, at the time the node is inserted according to the DOM, after any other script elements inserted at the same time that are earlier in the Document in tree order.

The script element is in a Document and a node or document fragment is inserted into the script element, after any script elements inserted at that time.

The script element is in a Document and has a src attribute set where previously the element had no such attribute.

Once the script ran, modifying the contents won't execute them, because script preparation will abort:

If the script element is marked as having "already started", then the user agent must abort these steps at this point. The script is not executed.

Very interesting finding indeed!

It really seems that empty src-less script element is in some strange state that accepts either content or even new src and interprets them. (Couldn't find a reason for that either. I just have a tiny hint: )

It resembles behavior of dynamically inserted script elements.

Here is example/proof of your observation and added few more cases for illustration:

script[src]::before,
script {
  display: block;
  border: 1px solid red;
  padding: 1em;
}
script[src]::before,
script {
  content: 'src='attr(src)
}
button {
  display: block
}

<p>Existing empty script in HTML:</p>
<script id="existing"></script>
<p>Can be invoked just one of:</p>
<button onclick="eval(this.innerText)">
  existing.innerHTML='console.log("innerHTML to static")'
</button>
<button onclick="eval(this.innerText)">
  existing.src='data:text/javascript,console.log("src to static")'
</button>
<p>Dynamically created and inserted script (each creates own, so both work):</p>
<button onclick="eval(this.innerText)">
  document.body.appendChild(document.createElement('script')).innerHTML='console.log("innerHTML to dynamic")'
</button>
<button onclick="eval(this.innerText)">
  document.body.appendChild(document.createElement('script')).src='data:text/javascript,console.log("src to dynamic")'
</button>

You will have to re-run snippet to see both "static" cases works.

(Also there is a blank script containing white-space generated by SO, for whatever reason.)

As Laurianti demonstrated, if the script had some (even white-space) content (or src=""), it would not work.

Also, in the "dynamic" examples notice that the innerHTML or src value is altered after the script element had been inserted to the document. So it is possible to have a blank static or create dynamic script, leave it in the document and set use it long after that.

Sorry for not giving a full answer, just wanted to share research and the hint.

(Update removed; Oriol was faster and way more accurate. Phew, glad to see this sorted out!)

Execution of dynamically generated Javascript

Tags:

javascript

html

dom

properties

innerhtml

Daniel

People also ask

2 Answers

Oriol

myf

Recent Activity

Donate For Us

Execution of dynamically generated Javascript

Tags:

javascript

html

dom

properties

innerhtml

Daniel

People also ask

2 Answers

Oriol

myf

Related questions

Recent Activity

Donate For Us