Shibasis Sengupta Shibasis Sengupta - 3 years ago 46
Javascript Question

Does allowing a change of source at run time make the code vulnerable to an XSS attack?

I have a requirement to dynamically update the "src" link in the below code with a hyperlink which in turn will point to another .js file.
The following is just an example URL used for "src".
My questions is, allowing to change 'src' in runtime, does this code become vulnerable to XSS attack?
If yes, can you please advise which alternate approach can be taken?

<script type="text/javascript">(function() {
var customScript = document.createElement('script');
customScript.type = 'text/javascript';
customScript.async = true;
customScript.src = 'https://abcd.com/custom_file1.js';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(customScript, s);
})();
</script>

Answer Source

As far as I know you're adding a new <script> tag, from which the attribute value src is determined within your JavaScript, and not by any kind of user input. Therefor this would not be vulnerable to XSS attacks.

This is perfectly fine.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download