SPOILER ALERT : Do not continue if you do not want to be spoiled
I am currently doing the Google XSS Challenge Level 2 .
I am injecting XSS code that is inserted into the document using
element.innerHTML. I don’t understand why
<script>alert("Foobar")</script> does not work but
<img src="https://security.stackexchange.com/" onerror = "alert(1);" works.
I have tried looking at source code but I still don’t understand why. I am new to XSS, hence I would appreciate if you would make reference to the source code when formulating your answers.