开发者

cross site scripting using script tag ,change src of a script tag, can we use id for script tag

问答 作者: 
<body>
<!-- some html code -->

<script src='some.js'></script>

<!-- some html code -->

</body>

The script some.js loads a form. when i press update in that form i do not submit the form inste开发者_JAVA百科ad i form a query string and want to send it as some.js?key=value

Now i need to change the src of the script tag.

If we change the src will it work by again requesting a new content? Can we use ID for script tag and if so will it be supported by all browsers?

when the new content is received i will clear the old content displayed by this script. i think it is better to have a div and put all the contents inside that div. i am rewriting script.js to script.php in my htaccess just show the users that it is just a javascript access or no problem for me if i give a .php.

The above is the basic requirement.

What we need is just to use a script tag which will fetch content from another site and should update here.

you can give suggestions to use this in a standard way which will included updating the content from the x site.

so this is what people tell as cross site scripting, on demand javascript and please add more terminologies if any so that i will update myself.

any kind of response will do good.

According to W3C (http://www.w3.org/TR/REC-html40/interact/scripts.html#h-18.2.1) 'script' tag doesn't support any standard attributes (which includes 'id'), however it will work in most browsers. Instead of replacing 'script' tag 'src' attribute I would suggest removing the tag and adding new one - that’s more reliable. I would strongly suggest reading about JSONP and Cross-Origin Resource Sharing (http://www.w3.org/TR/cors/) - those are standards which should help you achieve what you want.

As @tpeczek mentioned, to change the script src attribute is not enough, some browsers will not reload the script.
Use the following to replace the tag:

var oldScript = document.getElementById('someID');
var script = document.createElement("script");        
script.setAttribute("type","text/javascript");                
script.setAttribute("id","someID");
script.setAttribute("src",url);

if (oldScript == null) {               
    document.body.appendChild(script);
} else {
    document.body.replaceChild(script, oldScript);
}

couldnt you go the old fashioned way and walk through all script elements and check the src to find some.js?

UPDATE: As a global attribute, id appears to be supported for script tags in HTML5.

继续阅读:javascriptxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9