[jQuery] Re: Any server status if use script tag for XSS?
Maybe you could attach an onload or onerror event to your html element
(script) ?
Anyway, jQuery has a home made method to let you do this, cross-browser:
See http://docs.jquery.com/Ajax/jQuery.getScript#urlcallback
Matt
2007/10/9, Jacky [EMAIL PROTECTED]:
Hi,
I would like to call crossite script.
So I use the script tag technique (create script tag, assign src and
append to head) to do so.
But unlike xmlhttprequest, I cannot get any response status from it.
So I just wonder if there is anyway I can detect if the remote script is
not available?
I tried to use try-catch, which works on Firefox but not IE. Code:
$(document).ready(function(){
try{
var s = document.createElement(script);
s.type = text/javascript;
s.src = http://thisurldoesnotexist/dsfsdlfjk.js ;
document.appendChild(s);
}
catch(e){
alert(any error);
}
});
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
--
Matthias ETIENNE
[jQuery] Re: Any server status if use script tag for XSS?
I actually posted to the dev list about a similar issue (using JSONP, which
is script-like). I'd like to put a short timer on the script calls and
receive a timeout if the callback function fails to fire.
Scott
On 10/8/07, Jacky [EMAIL PROTECTED] wrote:
Hi,
I would like to call crossite script.
So I use the script tag technique (create script tag, assign src and
append to head) to do so.
But unlike xmlhttprequest, I cannot get any response status from it.
So I just wonder if there is anyway I can detect if the remote script is
not available?
I tried to use try-catch, which works on Firefox but not IE. Code:
$(document).ready(function(){
try{
var s = document.createElement(script);
s.type = text/javascript;
s.src = http://thisurldoesnotexist/dsfsdlfjk.js ;
document.appendChild(s);
}
catch(e){
alert(any error);
}
});
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
--
--
Scott Trudeau
scott.trudeau AT gmail DOT com
http://sstrudeau.com/
AIM: sodthestreets
[jQuery] Re: Any server status if use script tag for XSS?
If the server return something like 404/500 page, I guess it would cause a
javascript error when browser try to evaluate, and the try-catch method
could work.
Timer would be a good idea, but to determine the time to wait would require
some specific measure.
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
On 10/9/07, Scott Trudeau [EMAIL PROTECTED] wrote:
I actually posted to the dev list about a similar issue (using JSONP,
which is script-like). I'd like to put a short timer on the script calls
and receive a timeout if the callback function fails to fire.
Scott
On 10/8/07, Jacky [EMAIL PROTECTED] wrote:
Hi,
I would like to call crossite script.
So I use the script tag technique (create script tag, assign src and
append to head) to do so.
But unlike xmlhttprequest, I cannot get any response status from it.
So I just wonder if there is anyway I can detect if the remote script is
not available?
I tried to use try-catch, which works on Firefox but not IE. Code:
$(document).ready(function(){
try{
var s = document.createElement(script);
s.type = text/javascript;
s.src = http://thisurldoesnotexist/dsfsdlfjk.js ;
document.appendChild(s);
}
catch(e){
alert(any error);
}
});
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
--
--
Scott Trudeau
scott.trudeau AT gmail DOT com
http://sstrudeau.com/
AIM: sodthestreets
[jQuery] Re: Any server status if use script tag for XSS?
If I remember correctly, getScript can't do cross site.
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
On 10/9/07, Matt [EMAIL PROTECTED] wrote:
Maybe you could attach an onload or onerror event to your html element
(script) ?
Anyway, jQuery has a home made method to let you do this, cross-browser:
See http://docs.jquery.com/Ajax/jQuery.getScript#urlcallback
Matt
2007/10/9, Jacky [EMAIL PROTECTED]:
Hi,
I would like to call crossite script.
So I use the script tag technique (create script tag, assign src and
append to head) to do so.
But unlike xmlhttprequest, I cannot get any response status from it.
So I just wonder if there is anyway I can detect if the remote script is
not available?
I tried to use try-catch, which works on Firefox but not IE. Code:
$(document).ready(function(){
try{
var s = document.createElement(script);
s.type = text/javascript;
s.src = http://thisurldoesnotexist/dsfsdlfjk.js ;
document.appendChild(s);
}
catch(e){
alert(any error);
}
});
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
--
Matthias ETIENNE
[jQuery] Re: Any server status if use script tag for XSS?
Hey Jacky, it can now. :-)
from http://docs.jquery.com/Ajax/jQuery.getScript#urlcallback:
Before jQuery 1.2, getScript was only able to load scripts from the
same domain as the original page. As of 1.2, you can now load
JavaScript files from any domain.
--Karl
_
Karl Swedberg
www.englishrules.com
www.learningjquery.com
On Oct 9, 2007, at 12:54 PM, Jacky wrote:
If I remember correctly, getScript can't do cross site.
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
On 10/9/07, Matt [EMAIL PROTECTED] wrote:
Maybe you could attach an onload or onerror event to your html
element (script) ?
Anyway, jQuery has a home made method to let you do this, cross-
browser:
See http://docs.jquery.com/Ajax/jQuery.getScript#urlcallback
Matt
2007/10/9, Jacky [EMAIL PROTECTED]:
Hi,
I would like to call crossite script.
So I use the script tag technique (create script tag, assign src
and append to head) to do so.
But unlike xmlhttprequest, I cannot get any response status from it.
So I just wonder if there is anyway I can detect if the remote
script is not available?
I tried to use try-catch, which works on Firefox but not IE. Code:
$(document).ready(function(){
try{
var s = document.createElement(script);
s.type = text/javascript;
s.src = http://thisurldoesnotexist/dsfsdlfjk.js ;
document.appendChild(s);
}
catch(e){
alert(any error);
}
});
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
--
Matthias ETIENNE
[jQuery] Re: Any server status if use script tag for XSS?
Thanks.
After look into the getScript code, I tried to play around with the
readyState of the script elements.
script.onload = script.onreadystatechange = function(){
try{
document.body.innerHTML += p + this.readyState +
/p;
if (!this.readyState || this.readyState == loaded
|| this.readyState == complete){
document.body.innerHTML += pSuccess/p;
head.removeChild( script );
}
}catch(e){
alert(any error + e);
}
};
1. http://urldoesnotexist.com/fdil.js
This is a request where the browser should not be able to resolve the
server.
Firefox prints nothing, but IE do print all 'loading', 'loaded' and
'success'.
2. http://www.google.com/doesnothavethisjs.js
Just a simple error page returned by google.com
Firefox prints nothing, but IE prints 'loading', 'loaded' and 'success'
3. http://someserver/soemjs.js
This request would return an HTML showing cannot find file on server like
(2). It is on our own application server.
Firefox prints 'undefined', 'success' and then have script error about HTML
tag error (I guess because the return page is not a well-formed html).
IE prints 'loading', 'loaded' and 'success' with script error saying 'syntax
error'.
Seems that in IE, I cannot quite distinguish what is going on.
On 10/10/07, Karl Swedberg [EMAIL PROTECTED] wrote:
Hey Jacky, it can now. :-)
from http://docs.jquery.com/Ajax/jQuery.getScript#urlcallback:
Before jQuery 1.2, getScript was only able to load scripts from the same
domain as the original page. As of 1.2, you can now load JavaScript files
from any domain.
--Karl
_
Karl Swedberg
www.englishrules.com
www.learningjquery.com
On Oct 9, 2007, at 12:54 PM, Jacky wrote:
If I remember correctly, getScript can't do cross site.
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
On 10/9/07, Matt [EMAIL PROTECTED] wrote:
Maybe you could attach an onload or onerror event to your html
element (script) ?
Anyway, jQuery has a home made method to let you do this, cross-browser:
See http://docs.jquery.com/Ajax/jQuery.getScript#urlcallback
Matt
2007/10/9, Jacky [EMAIL PROTECTED]:
Hi,
I would like to call crossite script.
So I use the script tag technique (create script tag, assign src and
append to head) to do so.
But unlike xmlhttprequest, I cannot get any response status from it.
So I just wonder if there is anyway I can detect if the remote script
is not available?
I tried to use try-catch, which works on Firefox but not IE. Code:
$(document).ready(function(){
try{
var s = document.createElement(script);
s.type = text/javascript;
s.src = http://thisurldoesnotexist/dsfsdlfjk.js ;
document.appendChild(s);
}
catch(e){
alert(any error);
}
});
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
--
Matthias ETIENNE
--
Best Regards,
Jacky
網絡暴民 http://jacky.seezone.net
