Post cover image
Image 1: XSS payload entered into the search box.

June 18, 2026

PortSwigger : DOM XSS in innerHTML Sink Using Source location.search

In this lab, the website has a DOM-based XSS vulnerability in the blog search function.

danar

1 min read

Lab: DOM XSS in innerHTML sink using source location.search This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML…

The page uses innerHTML to change the content of a div element. The data comes from location.search, which means the input is taken from the search query in the URL.

The goal is to run JavaScript that calls the alert function.

SOLUTION

First, I clicked Access the Lab. After that, I was redirected to the blog website.

On the page, there is a search box that can be used to search blog posts.

In the search box, I entered this payload:

<img src=1 onerror=alert(1)>

Then I clicked Search.

None

Why This Payload Works

The payload used is:

<img src=1 onerror=alert(1)>

This payload creates an image tag using HTML.

The first part: <img, is used to create an image element in the page.

Then: src=1, sets the image source to 1. This is not a valid image file, so the browser fails to load it.

Because the image fails to load, the onerror event is triggered.

The last part: onerror=alert(1), runs JavaScript when the image loading error happens.

So, when the browser tries to load the invalid image, it triggers onerror, then runs: alert(1), This makes the alert pop-up appear.

This works because the website puts the search input into the page using innerHTML. Because of that, the browser reads the input as real HTML, not just normal text.

After clicking Search, the browser executed the payload and showed an alert pop-up.

None

After the alert appeared, the lab status changed to Solved.

None

This lab shows how DOM XSS can happen when user input from the URL is inserted into the page using innerHTML.

By entering this payload:

<img src=1 onerror=alert(1)>

the browser created an image element. Because the image source was invalid, the onerror event ran and called alert(1).

From this lab, I learned that user input should not be inserted into HTML using innerHTML without proper filtering or encoding.

Thanks for your attention.