I am testing some vulnerabilities and I have some doubts. for example: 1 -
$("#ID").html("<script>alert('XSS')</script>");
if in element id I use the id of the form input and the alert is shown, is it really vulnerable to xss?
2-
$("#id").position( {
my: "center",
at: "right bottom",
of: "<img scr='https://media.makeameme.org/created/xss-xss-everywhere-5b8065.jpg' src='' />",
collision: "none"
});
Same question, is it potentially vulnerable if the image is displayed? Why?
Although when I try to inject code directly from the input it does not execute, it does when I execute the script in the browser console. My doubt more than anything lies in that everything is done in the local environment and the information is not processed.