How to get fully reflected XSS executed in title tag?

I recently found a website which could be vulnerable to postMessage attack and lets set any code within the title tags but strangely code is not executed.

Here is what code does:

var m = function(e) {
                var d = JSON.parse(e.data);
                document.title = d.title
                .....
window.addEventListener('message', m, false);

So everything I pass through window.postMessage(’{“title”:“JAVASCRIPT CODE HERE”}’, ‘*’) is fully reflected in title, however not executed.

Reflection in source-code (Chrome Browser):

Is it beause it is set through document.title? And are there ways to make it executable?

Did you try it in firefox?

Try to set the title with something like:

s = document.createElement("script");
s.textContent = d.title;
document.getElementsByTagName("title")[0].appendChild(s);

Yes, I tried Firefox. It is the same.

I tried a couple of payloads, even some very exotic ones as the one of ultimate XSS polyglot.

Not sure what you mean with this :question:

If you mean something like


then the result is

I misinterpreted your original message. I thought you were able to control the way the title is set. It looks like you’re not. So there’s no possibility for an XSS here.