I wanted to show my students example of DOM-base XSS attack. I thought that inserting malicious script by innerHTML will by enough. But to my surprise when I insert script it seems to be not invoked.
Example is here https://jsfiddle.net/vo9baffu/6/
Briefly: You can't make a DOM-based XSS attack in the way presented in your example.
You have to include jQuery in your HTML and use the html() method instead. This will will accomplish exactly what you ask for, because the html() method will evaluate the code embedded in the script tag.
You can show your students an XSS attack by using an img tag and an error event as shown below:
<img src="whatever.png" onerror="alert('XSS')" />
as shown in this fiddle .