Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Javascript - breaking up string literals... why?

Tags:

javascript

I'm sorry the question title is so vague, but I was looking at some code from a Job posting boards conversion tracking software and ran across this for the first time.

    document.write('<i' + 'mg height="1" ' +
         'width="1" border="0" ' +
         'src="' + url + '&ifr' + 'ame=0" />');
    document.write('</ifr' + 'ame>');

Why are they breaking up the string literal in this manner? Specifically '</ifr'+'ame>'

like image 680
Chris G. Avatar asked Dec 14 '11 17:12

Chris G.


3 Answers

When HTML parsers see certain tags, even when embedded in JavaScript strings, they'll be parsed immediately as those tags.

Breaking them up avoids this behavior--<script> is the one that usually causes problems; I agree with Mike that it shouldn't be necessary for iframes (AFAIK no others, either, but I can't speak to that with any authority).

It's also a trick to avoid being trivially parsed by crawlers.

like image 171
Dave Newton Avatar answered Oct 20 '22 02:10

Dave Newton


It looks like cargo cult programming.

In HTML, you need to make sure that your <script> blocks do not contain </script> that you do not want to end the script.

For example,

<script>document.write('<script>alert(42);</script>');</script>

is a broken script but

<script>document.write('<script>alert(42);<\/script>');</script>

is a single well-formed script block.

In XHTML, <script>s don't work that way so you need to worry about ]]> instead when you're using CDATA sections.

In either case though, splitting </iframe> and <img is unnecessary.

like image 35
Mike Samuel Avatar answered Oct 20 '22 01:10

Mike Samuel


My guess is they are doing that in an attempt to defeat web crawlers which would ordinarily parse the static HTML looking for certain tags to scrape.

like image 40
Jake Feasel Avatar answered Oct 20 '22 01:10

Jake Feasel