<script type= "Text" >
Here's what's in the script tag.
</script>
The script tag has an attribute type, default value: Text/javascript, for example, if you declare a script tag directly, if you do not declare the type label, it defaults to the JS document.
?
1
2
3
4
5
6
7
8
9
10
<script>
var a = 50;
</script>
<script type= "Text/javascript" >
alert (a); 50
</script>
Of course, you can also specify that it is plain text:
?
1
2
3
4
5
6
7
<script type= "Text" >
var a = 50;
</script>
<script type= "Text/javascript" >
alert (a); Hint Not defined
</script>
Because the first script label type is text, the browser naturally does not treat the contents of the label as a JS document, nor does it declare a variable.
Of course, if the script tag type=text, no matter what content in the label will not report JS syntax error:
?
1
2
3
<script>
This is the script tag content, not specified Type=text, the default browser as a JS document to deal with it will report syntax errors
</script>
Declared as Type=text type, the error disappears:
?
1
2
3
<script type= "Text" >
This is the script tag content, not specified Type=text, the default browser as a JS document to deal with it will report syntax errors
</script>
Script is also a label, and since it's a label, we can get its DOM node:
Even if you declare the script tag Type=text/javascript type, you can get access to:
?
1
2
3
4
5
6
7
<script type= "Text/javascript" >
This is a single-line comment.
/**
* This is a multiline comment.
*/
var name = "Lizhong";
</script>
Above, we can get the contents of the script through the DOM node, but we cannot get the contents of the SRC specified file. Like what:
?
1
2
3
4
5
6
7
<script type= "Text/javascript" src= "A.js" >
This is a single-line comment.
/**
* This is a multiline comment.
*/
var name = "Lizhong";
</script>
A.js File Contents:
?
1
var Dec = "Here is the A.js file content";
Perform:
We found that it was actually printed on the page when the script was declared, even if I declared the script label like it was:
Interestingly, however, Firefox's Firebug tool shows that the contents of the script tag are the contents of the file specified by src:
But what you still read through the DOM node's innerHTML attribute is what is actually written in the page tag.
This raises the question:
If you can dynamically read the script label Src point to the contents of the path file, then it will be very unsafe. In this way, I will easily get all the files (at least the contents of the text file) that are on the user's computer of my site.
If I generate such a tag, assume that the window platform user accesses my site and has a D disk path:
It can get me all the file directories under D disk:
Then get the script node content, after a string of regular processing read a lot of file names, get the file name is easy to get the contents of the file.
Unfortunately, most browsers have blocked this loophole, do not dream!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
