Can scripts be inserted with innerHTML?

Can scripts be inserted with innerHTML?

I tried to load some scripts into a page using innerHTML on a

. It appears that the script loads into the DOM, but it is never executed (at least in Firefox and Chrome). Is there a way to have scripts execute when inserting them with innerHTML?
Sample code:


Solution 1:

You have to use eval() to execute any script code that you’ve inserted as DOM text.

MooTools will do this for you automatically, and I’m sure jQuery would as well (depending on the version. jQuery version 1.6+ uses eval). This saves a lot of hassle of parsing out <script> tags and escaping your content, as well as a bunch of other “gotchas”.

Generally if you’re going to eval() it yourself, you want to create/send the script code without any HTML markup such as <script>, as these will not eval() properly.

Solution 2:

Here is a very interesting solution to your problem:

So use this instead of script tags:

<img src="empty.gif" onload="alert('test');this.parentNode.removeChild(this);" />

Solution 3:

Here is a method that recursively replaces all scripts with executable ones:

function nodeScriptReplace(node) {
        if ( nodeScriptIs(node) === true ) {
                node.parentNode.replaceChild( nodeScriptClone(node) , node );
        else {
                var i        = 0;
                var children = node.childNodes;
                while ( i < children.length ) {
                        nodeScriptReplace( children[i++] );

        return node;
function nodeScriptIs(node) {
        return node.tagName === 'SCRIPT';
function nodeScriptClone(node){
        var script  = document.createElement("script");
        script.text = node.innerHTML;
        for( var i = node.attributes.length-1; i >= 0; i-- ) {
                script.setAttribute( node.attributes[i].name, node.attributes[i].value );
        return script;

Example call:


Solution 4:

You can create script and then inject the content.

var g = document.createElement('script');
var s = document.getElementsByTagName('script')[0];
g.text = "alert(\"hi\");"
s.parentNode.insertBefore(g, s);

This works in all browsers 🙂

Solution 5:

I used this code, it is working fine

var arr = MyDiv.getElementsByTagName('script')
for (var n = 0; n < arr.length; n++)
    eval(arr[n].innerHTML)//run script inside div

Solution 6:

For anyone still trying to do this, no, you can’t inject a script using innerHTML, but it is possible to load a string into a script tag using a Blob and URL.createObjectURL.

I’ve created an example that lets you run a string as a script and get the ‘exports’ of the script returned through a promise:

function loadScript(scriptContent, moduleId) {
    // create the script tag
    var scriptElement = document.createElement('SCRIPT');

    // create a promise which will resolve to the script's 'exports'
    // (i.e., the value returned by the script)
    var promise = new Promise(function(resolve) {
        scriptElement.onload = function() {
            var exports = window["__loadScript_exports_" + moduleId];
            delete window["__loadScript_exports_" + moduleId];

    // wrap the script contents to expose exports through a special property
    // the promise will access the exports this way
    var wrappedScriptContent =
        "(function() { window['__loadScript_exports_" + moduleId + "'] = " + 
        scriptContent + "})()";

    // create a blob from the wrapped script content
    var scriptBlob = new Blob([wrappedScriptContent], {type: 'text/javascript'});

    // set the id attribute = "__loadScript_module_" + moduleId;

    // set the src attribute to the blob's object url 
    // (this is the part that makes it work)
    scriptElement.src = URL.createObjectURL(scriptBlob);

    // append the script element

    // return the promise, which will resolve to the script's exports
    return promise;


function doTheThing() {
    // no evals
    loadScript('5 + 5').then(function(exports) {
         // should log 10

I’ve simplified this from my actual implementation, so no promises that there aren’t any bugs in it. But the principle works.

If you don’t care about getting any value back after the script runs, it’s even easier; just leave out the Promise and onload bits. You don’t even need to wrap the script or create the global window.__load_script_exports_ property.

Related:  How to correctly use ng-cloak directive?