I'm writing a script that needs to write the current page location to the DOM, and I'm concerned about XSS. Is the following Javascript snippet safe from XSS?
var script = document.createElement('script');
script.setAttribute('src', '=' + encodeURIComponent(document.location.href));
document.getElementsByTagName('head')[0].appendChild(script);
I know that using document.write() to acplish the same thing is not safe in various browsers, but I've not seen any source discussing if using the DOM access methods is.
I'm writing a script that needs to write the current page location to the DOM, and I'm concerned about XSS. Is the following Javascript snippet safe from XSS?
var script = document.createElement('script');
script.setAttribute('src', 'http://fake.?src=' + encodeURIComponent(document.location.href));
document.getElementsByTagName('head')[0].appendChild(script);
I know that using document.write() to acplish the same thing is not safe in various browsers, but I've not seen any source discussing if using the DOM access methods is.
Share Improve this question asked Dec 3, 2010 at 22:47 Benjamin AndersonBenjamin Anderson 431 silver badge3 bronze badges1 Answer
Reset to default 8There's no need to use "setAttribute":
script.src = 'http://fake.?src=' + encodeURIComponent(document.location.href);
I don't see where an XSS vulnerability would sneak in here. The server code at "fake." has to be "hardened" against weird values of that "src" parameter, I suppose, but that's going to be true no matter what your Javascript looks like.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744727727a4590282.html
评论列表(0条)