开发者

Why is this script element broken up into multiple document.write() calls? [duplicate]

This question already has answers here: Closed 12 years ago.

Possible Duplicate:

Why split the <script> tag when writing it with document.write()?

I have frequently 开发者_如何学运维seen the following statement:

document.write("<scr");
document.write("ipt language=\"Javascript\" type=\"text/javascript\" src=\"source url\"></scr");
document.write("ipt>");

What is the advantage of this? Why don't people write the whole script, as below?

document.write("<script ");


This might help you:

http://www.webmasterworld.com/forum91/2913.htm

Depending on the browser, the amount of other preceding javascript, and how well-formed the overall code is, this is done to prevent the parser from interpreting the and tags as executeable code rather than as a string to be written.

I have found that it just saves headaches down the road if you do this when using script to write script tags.


This is probably done to comply with the standards – but they did it wrong in this case.

From the description of CDATA data type:

Although the STYLE and SCRIPT elements use CDATA for their data model, for these elements, CDATA must be handled differently by user agents. Markup and entities must be treated as raw text and passed to the application as is. The first occurrence of the character sequence "</" (end-tag open delimiter) is treated as terminating the end of the element's content. In valid documents, this would be the end tag for the element.

So they rather should have split the end-tag open delimiter </ like this:

document.write("<script language=\"Javascript\" type=\"text/javascript\" src=\"source url\"><" + "/script>");


It depends. When you see such code, it means they are generating certain parts of the page dynamically otherwise yes they could have easily written in <script> tags just below that.

And sometimes, such code is used for malicious purposes.


Isn't this how some people attempt to get past antivirus's script scanners?

To answer your question:
There's no gain from doing this. In fact, it's actually slower, since you're invoking more functions, creating more string objects, and appending more strings.

For older browsers, I guess it might be similar to usage of <!-- <script> blargh </script> //-->


I beleive it's some kind of primitive code obfuscation to sneak in script into dynamic pages. If a website filters user input for the string "<script" for example, this piece of code here would still go through.

Most likely this is some attempt to inject malicious code somewehere.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜