I'm sorry the question title is so vague, but I was looking at some code from a Job posting boards conversion tracking software and ran across this for the first time.
document.write('<i' + 'mg height="1" ' +
'width="1" border="0" ' +
'src="' + url + '&ifr' + 'ame=0" />');
document.write('</ifr' + 'ame>');
Why are they breaking up the string literal in this manner? Specifically '</ifr'+'ame>'
When HTML parsers see certain tags, even when embedded in JavaScript strings, they'll be parsed immediately as those tags.
Breaking them up avoids this behavior--<script>
is the one that usually causes problems; I agree with Mike that it shouldn't be necessary for iframe
s (AFAIK no others, either, but I can't speak to that with any authority).
It's also a trick to avoid being trivially parsed by crawlers.
It looks like cargo cult programming.
In HTML, you need to make sure that your <script>
blocks do not contain </script>
that you do not want to end the script.
For example,
<script>document.write('<script>alert(42);</script>');</script>
is a broken script but
<script>document.write('<script>alert(42);<\/script>');</script>
is a single well-formed script block.
In XHTML, <script>
s don't work that way so you need to worry about ]]>
instead when you're using CDATA sections.
In either case though, splitting </iframe>
and <img
is unnecessary.
My guess is they are doing that in an attempt to defeat web crawlers which would ordinarily parse the static HTML looking for certain tags to scrape.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With