setAttribute() and XSS
var script = document.createElement('script'); script.setAttribute('src', 'http://fake.com?src=' + encodeURIComponent(document.location.href)); document.getElementsByTagName('head').appendChild(script);
I know that using document.write() to accomplish the same thing is not safe in various browsers, but I've not seen any source discussing if using the DOM access methods is.
There's no need to use "setAttribute":
script.src = 'http://fake.com?src=' + encodeURIComponent(document.location.href);