Thanks, but I don't follow what you write here. The test
!s.url.indexOf("http") evaluates to !0 == TRUE when the s.url begins with
"http". It is then that <script> is used, not when s.url begins with
"file".
In fact, what the post does is to inject a script from a potentially
external URL. If anything this would increase the possibility of an XSS
attack, not reduce it. In fact, I'm now beginning to wonder whether I
should have titled this thread something like "XSS vulnerability in
jQuery"...
I remain as puzzled as ever.
Kynn
On Jan 22, 2008 5:47 PM, h0tzen <[EMAIL PROTECTED]> wrote:
>
> i think the key-check is this: !s.url.indexOf("http")
>
> "file://foo/bar" cant be requested via XHR, so <script>-tag is used...
>
> On 22 Jan., 23:20, "Kynn Jones" <[EMAIL PROTECTED]> wrote:
> > I understand what the test at the top is testing for, but I don't
> understand
> > the policy implemented by the code that runs when the test evaluates to
> > true.
>
