7

I'm sorry the question title is so vague, but I was looking at some code from a Job posting boards conversion tracking software and ran across this for the first time.

    document.write('<i' + 'mg height="1" ' +
         'width="1" border="0" ' +
         'src="' + url + '&ifr' + 'ame=0" />');
    document.write('</ifr' + 'ame>');

Why are they breaking up the string literal in this manner? Specifically '</ifr'+'ame>'

Chris G.
  • 3,963
  • 2
  • 21
  • 40
  • Sometimes this is used to trick software that scans JavaScript for suspicious code (like iframes redirecting to another URL) – Sparky Dec 14 '11 at 17:31

3 Answers3

7

When HTML parsers see certain tags, even when embedded in JavaScript strings, they'll be parsed immediately as those tags.

Breaking them up avoids this behavior--<script> is the one that usually causes problems; I agree with Mike that it shouldn't be necessary for iframes (AFAIK no others, either, but I can't speak to that with any authority).

It's also a trick to avoid being trivially parsed by crawlers.

Dave Newton
  • 158,873
  • 26
  • 254
  • 302
  • Do you have an example? I'm pretty sure the bit about HTML parsers isn't true. – Mike Samuel Dec 14 '11 at 17:36
  • @MikeSamuel [Like this one?](http://stackoverflow.com/questions/3509818/why-script-tag-in-js-string-is-being-validated) I was imprecise in my answer, and I don't think it's necessary for `iframe`s as you said, but it is for `script`. I don't recall seeing your `script` example when you first answered. But it is true for the `script` tag, which is the same thing you said, and is because of the HTML parser. – Dave Newton Dec 14 '11 at 17:43
  • 1
    Understood. ``, ` – Mike Samuel Dec 14 '11 at 18:14
6

It looks like cargo cult programming.

In HTML, you need to make sure that your <script> blocks do not contain </script> that you do not want to end the script.

For example,

<script>document.write('<script>alert(42);</script>');</script>

is a broken script but

<script>document.write('<script>alert(42);<\/script>');</script>

is a single well-formed script block.

In XHTML, <script>s don't work that way so you need to worry about ]]> instead when you're using CDATA sections.

In either case though, splitting </iframe> and <img is unnecessary.

Mike Samuel
  • 118,113
  • 30
  • 216
  • 245
1

My guess is they are doing that in an attempt to defeat web crawlers which would ordinarily parse the static HTML looking for certain tags to scrape.

Jake Feasel
  • 16,785
  • 5
  • 53
  • 66