Is it possible to Execute a javascript function from the URL?

Something like: .php?alert(HelloWorld);

That when this url is visited then it should run the script.

Is it possible to Execute a javascript function from the URL?

Something like: http://www.mysite./mypage.php?alert(HelloWorld);

That when this url is visited then it should run the script.

• php
• javascript

Share Improve this question Follow edited Apr 24, 2013 at 9:51 Andreas Wong 60.6k1919 gold badges111111 silver badges123123 bronze badges asked Apr 24, 2013 at 9:29 Deepak GuptaDeepak Gupta 2111 gold badge11 silver badge33 bronze badges 6

• The question here is probably not how, but why. What's your use case? :o – Andreas Wong Commented Apr 24, 2013 at 9:30
• You can do by using the GET to get the query string... there may be other ways.. But i know only one.. – Hiren Pandya Commented Apr 24, 2013 at 9:30
• the question is not HOW? the question is WHY???? – STT LCU Commented Apr 24, 2013 at 9:35
• @SiGanteng ,@STT LCU : actually i wanna to make my site capable of executing javascript through address bar or in other words wanna to convert to a site that is vulnerable to XSS.This is just for a Experimental Purpose.That i came to know and stop vulnerabilities against XSS. – Deepak Gupta Commented Apr 24, 2013 at 10:15
• @DeepakGupta just look at my answer. you'll be done in 30 seconds. – nl-x Commented Apr 24, 2013 at 10:17

 |  Show 1 more ment

4 Answers 4

Sorted by: Reset to default 1

On an arbitrary site? No, that would mean that browsers were creating a horrific XSS security vulnerability on every site.

On your site? You could write a server side script to read the query string and inject it into a <script> element … which would give your site the aforementioned horrific XSS security vulnerability.

That is not possible and would be a huge security issue. Set the script in the landing page and run it once it's loaded

It is an incredibly stupid thing to do. But you can... You won't need PHP. Just use Javascript.

In the <body onload=""> just put eval(decodeURIComponent(window.location.search.substr(1))); like this:

<body onload="eval(decodeURIComponent(window.location.search.substr(1)));">

Url should be like http://www.mysite./mypage.php?alert('HelloWorld');

(So lose the <script></script> in the url)

You can define it on your PHP file!

Your PHP file :

if($_GET['script'] == "1")
{
...do script
}

in your url :

http://youraddress./index.php?script=1

Customize it for yourself. wish helpful