I have a requirement to dynamically update the "src" link in the below code with a hyperlink which in turn will point to another .js file.
The following is just an example URL used for "src".
My questions is, allowing to change 'src' in runtime, does this code become vulnerable to XSS attack?
If yes, can you please advise which alternate approach can be taken?
var customScript = document.createElement('script');
customScript.async = true;
customScript.src = 'https://abcd.com/custom_file1.js';
var s = document.getElementsByTagName('script');
As far as I know you're adding a new
<script> tag, from which the attribute value
This is perfectly fine.