setAttribute() and XSS

I'm writing a script that needs to write the current page location to the DOM, and I'm concerned about XSS. Is the following Javascript snippet safe from XSS?

var script = document.createElement('script');
script.setAttribute('src', 'http://fake.com?src=' + encodeURIComponent(document.location.href));
document.getElementsByTagName('head')[0].appendChild(script);

I know that using document.write() to accomplish the same thing is not safe in various browsers, but I've not seen any source discussing if using the DOM access methods is.

Answers


There's no need to use "setAttribute":

script.src = 'http://fake.com?src=' + encodeURIComponent(document.location.href);

I don't see where an XSS vulnerability would sneak in here. The server code at "fake.com" has to be "hardened" against weird values of that "src" parameter, I suppose, but that's going to be true no matter what your Javascript looks like.


Need Your Help

VisualStudioOnline NuGet Restore now built in?

msbuild nuget visual-studio-online tfs2013 nuget-package-restore

Is the Host Controller on Visual Studio Online now automatically restoring NuGet package before calling MSBuild?

instantiated Object carries previous function scope state

python list object state

The new instantiated object "c" will carry the previous state of "c" in the function I dont know why?

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.