xss脚本html标签
Information about document.currentScript has been added to this post. document.currentScript should be considered the better option.
有关document.currentScript信息已添加到该帖子中。 document.currentScript应该被认为是更好的选择。
There are times when the contents of an external script may want to reference its own SCRIPT tag. There are times that developers may want to detect attributes of the script tag which act as options for the script; this is a practice that's been done by the Dojo Toolkit for years. Lea Verou's Prism syntax highlighter also uses this practice:
有时,外部脚本的内容可能要引用其自己的SCRIPT标记。 有时,开发人员可能希望检测脚本标记的属性,这些属性用作脚本的选项。 这是Dojo Toolkit多年来所做的一种实践。 Lea Verou的Prism语法荧光笔也使用这种做法:
<!-- Traditional Dojo config --> <script src="//ajax.googleapis.com/ajax/libs/dojo/1.8.3/dojo/dojo.js" data-dojo-config="async: true"></script> <!-- Sample Prism config --> <script src="prism.js" data-default-language="markup" data-manual></script>So how are these projects getting the correct SCRIPT tag with which to look for attributes? Assuming a top-down (not async) load of scripts, the following will get a script its own tag:
那么这些项目如何获得正确的SCRIPT标签以用于查找属性? 假设从上到下( 不是异步)加载脚本,则以下内容将为脚本提供自己的标签:
/* From in side the script.... */ // Reliably grab my script tag var script = document.getElementsByTagName("script"); script = script[script.length - 1]; // Check for an attribute/config if(script.hasAttribute('data-something')) { // Do something! }Collect the SCRIPT elements up to that point and reference the last one -- that's all you need to do. Of course we're living in a mostly async world right now, so to accommodate for those cases, you may need to stick an ID on the SCRIPT element, take a chance matching the SCRIPT by path (a really bad idea), or use a different type of configuration system.
收集到这一点的SCRIPT元素,并参考最后一个元素-这就是您要做的全部。 当然,我们现在生活在一个几乎是异步的世界中,因此为了适应这些情况,您可能需要在SCRIPT元素上粘贴一个ID ,或者尝试通过按路径匹配SCRIPT的方法( 这是一个非常糟糕的主意) ,或者使用不同类型的配置系统。
A document.currentScript property also exists, and this standard property provides the ultimate reliable method of detecting the currently executing script:
还存在document.currentScript属性,此标准属性提供了检测当前正在执行的脚本的最终可靠方法:
var script = document.currentScript;Pairing this method with the older solution, the best complete code solution could be this:
将此方法与较旧的解决方案配对,最好的完整代码解决方案可能是:
var script = document.currentScript || (function() { var scripts = document.getElementsByTagName("script"); return scripts[scripts.length - 1]; })();翻译自: https://davidwalsh.name/script-tag
xss脚本html标签
