Menu
I'm writing a script that needs to write the current page location to the DOM, and I'm concerned about XSS. Is the following Javascript snippet safe from XSS?
var script = document.createElement('script');
script.setAttribute('src', 'http://fake.com?src=' + encodeURIComponent(document.location.href));
document.getElementsByTagName('head')[0].appendChild(script);
I know that using document.write() to accomplish the same thing is not safe in various browsers, but I've not seen any source discussing if using the DOM access methods is.
948
There's no need to use "setAttribute":
script.src = 'http://fake.com?src=' + encodeURIComponent(document.location.href);
I don't see where an XSS vulnerability would sneak in here. The server code at "fake.com" has to be "hardened" against weird values of that "src" parameter, I suppose, but that's going to be true no matter what your Javascript looks like.
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
