This question already has answers here:
Can scripts be inserted with innerHTML?
(26 answers)
Closed 7 years ago.
I am trying to find the right way to harden my Javascript against code injection attacks.
So, I created what I thought would be a successful code injection:
document.getElementById("result").innerHTML = "hello <script> alert(0) <\/script> kuku";
Evaluating document.getElementById("result").innerHTML in debugger shows that it did go through:
"hello <script> alert(0) </script> kuku"
So how come there is no alert?
Setting the .innerHTML to content that includes <script> blocks will never cause the code embedded to be evaluated. That's just how .innerHTML works.
Related
This question already has answers here:
How to execute a JavaScript function when I have its name as a string
(36 answers)
Closed 4 years ago.
I want to load a page and, after the body tag, execute a sort based on localStorage. But myWay (no pun intended) doesn't work. Can you help me?
I have 3 sort functions, each with one of these lines:
<script>
localStorage.setItem("current_sort", "classSort()");
localStorage.setItem("current_sort", "playerSort()");
localStorage.setItem("current_sort", "ratingSort()");
</script>
<script>
myWay = localStorage.getItem("current_sort");
if (myWay === "") {myWay = "playerSort()";}
</script>
How do I load myway?
<script>
eval (myway()); //doesn't seem to work.
</script>
that is how we execute functions as second parameter:
localStorage.setItem("current_sort", function(){classSort()});
localStorage.setItem("current_sort", function(){nameSort()});
localStorage.setItem("current_sort", function(){ratingsort()});
This question already has answers here:
Is there a php echo/print equivalent in javascript
(9 answers)
Closed 8 years ago.
If I have some PHP HTML that reads like this:
<html> I am feeling <?php print urldecode($_GET["emotion"]);?> today!</html>
and Get's "emotion" in URL title is "Happy", the HTML renders "I am feeling Happy today!".
Now, migrating away from PHP, how do I do this with javascript?
In Javascript I have a variable $emotion = "Happy"; so what Javascript goes inbetween the script tags below (where there are currently asterisks********)
<html> I am feeling <script>*********************</script> today!</html>
You can do it easily by putting an element where you want the text to change, then accessing that element by it's id.
$emotion = "Happy";
var e = document.getElementById('emotion');
e.innerHTML = $emotion;
I am feeling <span id="emotion"></span> today!
This question already has answers here:
Encode URL in JavaScript
(22 answers)
Closed 8 years ago.
I want to load another page via Javascript like this
$("#resultarea").load("searchresults.php?searchstring=" + $("#searchbox").val());
in searchresults.php, a single statement
echo $_GET["searchstring"];
what I type in searchbox appears when searchresults.php is loaded except when I add space and another word, no thing appear at all. I heared it can be done by encoding or somewhat, I searched but didn't find a solution.
Try encodeURIComponent:
var encodedValue = encodeURIComponent($("#searchbox").val());
$("#resultarea").load("searchresults.php?searchstring=" + encodedValue);
Source
Demo
This question already has answers here:
How do I pass variables and data from PHP to JavaScript?
(19 answers)
Closed 8 years ago.
What's the preferred way of outputting PHP code within apostrophes? For example this JavaScript code would break and the second line will be totally empty:
var jsString = '<div id="content">'+'<?php echo $something['1'] ?>'+'</div>';
Thanks! I know this is kind of basic and I know how to fix it, but I'm wondering how to do it the right way?
[edit]
I know it looks obvious, but $something["1"] won't work. The same goes for $something[\'1\'].
This example is working well for me :
<?php
$something['1']='hhhh0';
?>
<script type='text/javascript'>
var jsString = '<div id="content">'+'<?php echo $something['1'] ;?>'+'</div>';
alert(jsString);
</script>
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How exactly does <script defer=“defer”> work?
Can anybody explain me how defer works?
As example how following code will work:
document.write("<script id=__ie_onload defer " + ((location.protocol == "https:") ? "src='javascript:void(0)'" : "src=//0") + "><\/script>")
And why using different value of src for different protocol?
defer is an IE attribute that tells the browser to delay the execution of the script.
http://www.w3.org/TR/html4/interact/scripts.html#h-18.2.1
"When set, this boolean attribute provides a hint to the user agent that the script is not going to generate any document content (e.g., no "document.write" in javascript) and thus, the user agent can continue parsing and rendering."