JavaScript cannot read the contents of the script Tag src file.

This article describes how to solve the problem that JavaScript cannot read the src file of the script tag. Script tag

Generally, when we create a script tag on the page, src either introduces an external js file:

?

1	<script type="text/javascript" src="jquery-1.9.1.min.js"></script>

Either write content directly in the tag:

?

1 2 3

<script type="text"> Here is the content in the script tag. </script>

The script tag has a property type. The default value is text/javascript. For example, if you declare a script tag directly, if you do not declare the type tag, the default value is js document.

?

1 2 3 4 5 6 7 8 9 10

<script>     var a = 50;  </script>  <script type="text/javascript">      alert(a); // 50  </script>

Of course, you can also specify that it is plain text:

?

1 2 3 4 5 6 7

<script type="text">     var a = 50; </script>  <script type="text/javascript">     Alert (a); // The prompt is not defined. </script>

Because the type of the first script tag is text, the browser will not treat the content in the tag as a js document, and will not declare the variable.

Of course, if the script label type is text, no js syntax error will be reported for any content written in the tag:

?

1 2 3

<script> Here is the script TAG content, no type = text is specified, and the default browser treats it as a js document, so a syntax error will be reported. </script>

Declared as type = text type, and the error disappears:

?

1 2 3

<script type="text"> Here is the script TAG content, no type = text is specified, and the default browser treats it as a js document, so a syntax error will be reported. </script>

 

Get script content through DOM Node

Script is also a tag in theory. Since it is a tag, We can get its DOM node:

Even if you declare the script tag type = text/javascript type, you can get it:

?

1 2 3 4 5 6 7

<script type="text/javascript"> // Here is a single line comment /**  * Multiline comments  */ var name = "lizhong"; </script>

Security: you cannot obtain the contents of the src file.

Above, we can get the script content through the dom node, but cannot get the content of the src specified file. For example:

?

1 2 3 4 5 6 7

<script type="text/javascript" src="a.js"> // Here is a single line comment /**  * Multiline comments  */ var name = "lizhong"; </script>

A. js file content:

?

1	var dec = "Here is the content of the. js file";

Run:

We found that we still printed the content written in when the script was declared on the page, even if I declared the script tag as normal:

?

1	<script type="text/javascript" src="a.js"></script>

Or use type = text:

?

1	<script type="text" src="a.js"></script>

The result still fails to get the content of a. js:

However, it is interesting that the FireBug tool of FireFox displays the content in the script tag as the file content specified by src.:

However, what you still read through the innerHTML attribute of the dom node is actually written in the page tag.

This raises a problem:

If you can dynamically read the content of the script Tag src pointing to the path file, it will be very insecure. In this way, I can easily obtain all the files (at least text files) on the users' computers that log on to my site ).

For example, if I generate such a label, it is assumed that the window platform user accesses my site and has the D disk path:

?

1	<script type="text" src="file:///D:/"></script>

It can get all the file directories in my d drive:

Then obtain the content of the script node and read a large number of file names through string regular processing. After obtaining the file name, it is easy to get the content of the file.

Unfortunately, most browsers block this vulnerability. Don't dream about it!