javascript-injection

问题 For a project I am working on I need to inject javascript prior to any of the webpage document processing begins. This can easily be achieved via the WebBrowser component, but I am encountering difficulty using CefSharp. Here is a simplification of the problem, a webpage needs an "InjectedObject" to be present to function. Calling the webpage without injection occurring at the very top of the document, or being evaluated/executed before the document is processed would result in: =====html

问题 I've got this kind of script I need to inject into ! function(e) { function doSomething() { } } Basically I get a reference to doSomething, when my code is called via Function object, but I need to hook to doSomething, so I need an original reference to id. Since doSomething is declared inside anonymous function I can't get to it. Question is, can I somehow inject code into the scope of anonymous function, Greesemonkey or any other tool. 回答1: Javascript doesn't make it easy to get values from

问题 I am trying to insert js files programmatically, using jquery and something like this: var script = document.createElement( 'script' ); script.type = 'text/javascript'; script.src = 'http://someurl/test.js'; $('body').append(script); It works fine, if test.js contains an alert or some simple code it works fine, but if the file test.js contains document.write , and the file including the js is hosted on another domain than test.js (or localhost), nothing happens and firebug shows the error : A

问题 I am trying to insert js files programmatically, using jquery and something like this: var script = document.createElement( 'script' ); script.type = 'text/javascript'; script.src = 'http://someurl/test.js'; $('body').append(script); It works fine, if test.js contains an alert or some simple code it works fine, but if the file test.js contains document.write , and the file including the js is hosted on another domain than test.js (or localhost), nothing happens and firebug shows the error : A

问题 I am sure I don't fully understand this problem, but it seems that we are seeing strange behavior on IE9 on my project, somehow related to out-of-order execution of JavaScript that has been injected via calls to document.write , e.g.: document.write('<scr'+'ipt type="text/javascript" src="'+file1+'"></src'+'ipt>'); document.write('<scr'+'ipt type="text/javascript" src="'+file2+'"></src'+'ipt>'); document.write('<scr'+'ipt type="text/javascript" src="'+file3+'"></src'+'ipt>'); My limited

问题 I am sure I don't fully understand this problem, but it seems that we are seeing strange behavior on IE9 on my project, somehow related to out-of-order execution of JavaScript that has been injected via calls to document.write , e.g.: document.write('<scr'+'ipt type="text/javascript" src="'+file1+'"></src'+'ipt>'); document.write('<scr'+'ipt type="text/javascript" src="'+file2+'"></src'+'ipt>'); document.write('<scr'+'ipt type="text/javascript" src="'+file3+'"></src'+'ipt>'); My limited

问题 Anyone know a good lib where i can run the strings before they are inserted, that can strip out sql/javascript code? To be run in jsp pages. Idealy the lib would be: Free Lightweight Easy to use Thanks in advance to the SO community who will happily reply :) 回答1: Apache Commons lang StringEscapeUtils will get you some of the way. It escapes, doesnt strip. http://commons.apache.org/lang/api/org/apache/commons/lang/StringEscapeUtils.html Edit: Escaping can save you from injection attacks

问题 I read an article about bookmarklets which says that bookmarklets are so powerful they can be dangerous. For example, a malicious bookmarklet can collect your "cookies", "localStorage", the string in the password input box and then send it to a remote server, which is similar to "script injection". I'm curious about that. Since this article was written in 2007 (8 years ago), is there any limitation for bookmarklets (as well as browser plugins) to improve the security in modern browsers? 回答1:

问题 I have started developing browser extensions. I noticed a common concept is that the extension can inject JS code into the current browser tab. I am a bit puzzled of how that doesn't cause issues on a regular basis. I mean, how can things still work if I inject version x of JQuery (through my browser extension) in a page that has already included version y of JQuery? Won't there be a conflict for the $() function? How is it possible things go that smoothly? Is there any particular technique

问题 I have been looking at Pagedown.js lately for the allure of using mark-down on my pages instead of ugly readonly textareas. I am extremely cautious though as it seems easy enough to dupe the sanitized converter. I have seen some discussion around Angular.js and it's html bindings and also heard something when Knockout.js 3.0 came out that there had been a previous unsafeness to the html binding. It would seem all someone would need to do to disable the sanitizer in Pagedown.js for instance is