[tieTYT]

I probably should be too embarrassed to ask this question, but why can't I use script tags in the second test? I don't understand what's preventing me from doing that.

[nickmccann]

The second question disallows the script tag.

[tieTYT]

How is it doing that?

[wasd]

Using <script> ... as a payload won't work because the browser won't execute scripts added after the page has loaded.

[goblin89]

The browser smartly won't execute scripts added through innerHTML, but it probably should be noted that jquery's html() method will[0]. There's always a way to shoot yourself in the foot. :)

[0] http://api.jquery.com/html/

[tetrep]

(spoilers!)

https://developer.mozilla.org/en-US/docs/Web/API/Element.inn...

[hckr1292]

it's not blocking the scripts from being inserted. Inspect the DOM and you'll see them there.