3

Like in LinkedIn's api example:

<script type="text/javascript" src="https://platform.linkedin.com/in.js">
  api_key: weqrw1zwufdsiot9434re
  onLoad: onLinkedInLoad
  authorize: true
</script>
Costa Michailidis
  • 7,691
  • 15
  • 72
  • 124

2 Answers2

9

In a script tag with a src attribute, the content of the tag is not processed as JavaScript. The tag is allowed to have content, but that content is script documentation which isn't processed by the browser by default. It's entirely possible that the LinkedIn API uses that text in some way (since it can retrieve it from the element), perhaps as a series of name:value pairs, but it's not JavaScript.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
2

In this case, nothing at all - a script[src] element does not execute its contents. However, the script itself can use those contents as a string and process it however it wants - while it may be more common to see JSON passed in this way, there really is no restriction.

As an example of how you can use this yourself, your external script may contain:

var scripts = document.getElementsByTagName("script"),
    thisScript = scripts[scripts.length-1];
// The above works because, at the time of execution,
// the current script is the last one on the page
// (unless "defer" is used, but just don't use it :p)

var text = thisScript.textContent || thisScript.innerText,
    lines = text.split("\n"),
    map = {}, kv, l = lines.length, i;
for( i=0; i<l; i++) {
    kv = lines[i].split(":");
    if( kv.length < 2) continue; // probably a blank line
    map[kv.shift().replace(/^\s+|\s+$/g,'')] = kv.join(":").replace(/^\s+|\s+$/g,'');
    // the "shift / join" shenanigans allows for colons in values without breaking
}
// you can now use map.api_key etc.
Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592