I’m writing a script that needs to write the current page location to the

Question

0

Asked: May 18, 20262026-05-18T09:48:29+00:00 2026-05-18T09:48:29+00:00

I’m writing a script that needs to write the current page location to the

0

I’m writing a script that needs to write the current page location to the DOM, and I’m concerned about XSS. Is the following Javascript snippet safe from XSS?

var script = document.createElement('script');
script.setAttribute('src', 'http://fake.com?src=' + encodeURIComponent(document.location.href));
document.getElementsByTagName('head')[0].appendChild(script);

I know that using document.write() to accomplish the same thing is not safe in various browsers, but I’ve not seen any source discussing if using the DOM access methods is.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-18T09:48:30+00:00

Editorial Team

2026-05-18T09:48:30+00:00Added an answer on May 18, 2026 at 9:48 am

There’s no need to use “setAttribute”:

script.src = 'http://fake.com?src=' + encodeURIComponent(document.location.href);

I don’t see where an XSS vulnerability would sneak in here. The server code at “fake.com” has to be “hardened” against weird values of that “src” parameter, I suppose, but that’s going to be true no matter what your Javascript looks like.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m writing a script that needs to write the current page location to the

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply