tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

bug592656-1.html (1123B)

      1 <!DOCTYPE html>
      2 <html>
      3 <head>
      4 <title>document.write() from script-inserted inline scripts and script@onload</title>
      5 </head>
      6 <body>
      7 1
      8 <script>
      9 function write(num) {
     10  document.write(num + " ");
     11 }
     12 function scriptload() {
     13  document.write("\u003Cscript src='data:text/javascript,write(9)'>\u003C/script> 10 \u003Cscript>write(11)\u003C/script>");
     14  write(12);
     15 }
     16 function scripterror() {
     17  document.write("\u003Cscript src='data:text/javascript,write(16)'>\u003C/script> 17 \u003Cscript>write(18)\u003C/script>");
     18  write(19);
     19 }
     20 write(2);
     21 document.write("\u003Cscript src='data:text/javascript,write(3)'>\u003C/script> 4 \u003Cscript>write(5)\u003C/script>");
     22 var s = document.createElement("script");
     23 s.textContent = "write(6)";
     24 document.body.appendChild(s);
     25 write(7);
     26 document.write("\u003Cscript src='data:text/javascript,write(8)' onload='scriptload()'>\u003C/script> 13 \u003Cscript>write(14)\u003C/script>");
     27 write(15);
     28 document.write(`\u003Cscript src='nosuchscriptoutthere.js' onload='write("fail")' onerror='scripterror()'>\u003C/script> 20 \u003Cscript>write(21)\u003C/script>`);
     29 write(22);
     30 </script>
     31 </body>
     32 </html>