Page 1 of 1

Run and load javascript within href?

Posted: Sun Mar 29, 2009 1:14 am
by cohq82
Hi, I would like to do this trick and was not sure if possible. Let say website http://www.aaa.com is someone else site. If I post a link on there, I would like when people click the link, instead of going to the url in href, it will popup a IFRAME or DIV on top of current page. How to do something like that? I would imagine using something like "javascript:function()" in the href but that must load the .js file somewhere, right? There was this company called Polyvore using this technique below in the href:

Code: Select all

javascript&#058;(function(){function t(d){var w=window;if(w.PolyvoreClipper){w.PolyvoreClipper.run();}else{var s=d.createElement("script");w._polyvoreMode="prod";s.src="http://polyvore.cachefly.net/rsrc/clipper.js?"+Math.floor((new Date()).getTime()/86400000);d.body.appendChild(s);}}try{t(document);}catch(e){}for(var i=0;i<frames.length;++i){var f=frames[i];try{if(f.frameElement.tagName=="IFRAME"){continue;}if(f.innerWidth<400||f.innerHeight<400){continue;}t(f.document);}catch(g){}}})();
However, that only works if the link is in the bookmark of browser. It loads clipper.js. Is there a way to do this without making a link a bookmark first on client side?

Thanks.

Re: Run and load javascript within href?

Posted: Sun Mar 29, 2009 4:07 am
by php_east
those codes only confuse the quest. you can do a

Code: Select all

<script type="text/javascript>
function pop_up()
{
}
 
before your codes.

then do a <a href="popup(url)".
if you want wc3 compliance hide the javascript in a js file and link it in. either way works.

Re: Run and load javascript within href?

Posted: Sun Mar 29, 2009 7:35 am
by kaszu
Let say website http://www.aaa.com is someone else site. If I post a link on there
If it's not your site then it's XSS.

Adding a link in to the bookmarks allows to execute javascript when user clicks that bookmark, but this JS is not in the page. But to make this JS run every time anyone visits that site you need to put JS in the source of the page and since it's not your site, then it is XSS and
9. Warez, copyright violation, or promotion of any other illegal activity may NOT be linked or expressed or posted in any form.

Re: Run and load javascript within href?

Posted: Mon Mar 30, 2009 1:41 am
by cohq82
@kaszu, do you have sample using XSS for the same purpose?

Re: Run and load javascript within href?

Posted: Mon Mar 30, 2009 1:26 pm
by kaszu
It may and may not be possible to inject your javascript into someones else page, depends if on that page they are escaping those links correctly. Even if they aren't and XSS exists, it doesn't mean you should use it and I think you can be held liable for doing any damage to their website.
Answer: No, i don't want to provide any samples.

Re: Run and load javascript within href?

Posted: Mon Mar 30, 2009 2:25 pm
by pickle
This is XSS - which is not something we like to promote. While you may not necessarily be trying to do something nefarious, it is exactly this technique that others use to do nefarious things. It's best if we don't discuss it.

Please PM me if you disagree.

Locking topic.