Stack Overflow
Stack Overflow

How to start script in HTML without – user8167940 Jun 15 '17 at 19:04

  • In your image of the markup page, why not just click "script" at the top and put your scripts there? I've never used WaveMaker and you never told us what you're end goal is but that seems like the first place I'd look. – Corey Ogburn Jun 15 '17 at 19:07
  • @CoreyOgburn I tried to do that, but the issue is that the entire HTML that I'm trying to embed combines – user8167940 Jun 15 '17 at 19:12
  • 1
    use an event attrib to inject an external script into the document; a small amount of code to open up an unlimited amount. – dandavis Jun 15 '17 at 19:28
  • @dandavis so you mean running a local .js document in an event? – user8167940 Jun 15 '17 at 19:40
  • i was thinkning more a url, a ` – dandavis Jun 15 '17 at 22:28

    • 3 Answers3

    6

    What you can do is put it inside an HTML event attribute.

    <body onload="/*your JS here*/">

</body>

    If that does not work, try attaching onload to another HTML element or try one of the other event handlers (though I believe that they should have taken this into account as well)

    techfly
    • 1,826
    • 3
    • 25
    • 31
    • I can't usually get away with using either. So would you recommend sticking it on '' (see the image I linked to in the OP) instead? – user8167940 Jun 15 '17 at 19:01
    • 1
      I suggest trying to add those to any html element, just try around (but if it doesn't work for one of those, I guess they blocked it and it won't work for all the others as well) – techfly Jun 15 '17 at 19:04
    • thank you! I tried that, but it didn't quite work as expected. I just took the – user8167940 Jun 15 '17 at 19:14
    • No, you need to put actual javascript code in there and not a src link – techfly Jun 15 '17 at 20:17
    • When I try that, for some reason it doesn't work. I think the issue is that the javascript that the URL goes to is a ton of paragraphs, so I think it doesn't realize that it's still supposed to be script and not HTML – user8167940 Jun 15 '17 at 20:35
    • Does it work if you are trying a simple `alert("something");` ? – techfly Jun 15 '17 at 20:41
    1

    How about this : 

    <body onload="javascript:(function(){
// you can place your code here it should run
alert('ok')
})()">

</body>
    Riaz Laskar
    • 1,317
    • 9
    • 17
    • It's really weird, I tried that, and it didn't seem to work either. Thank you though!! PS: for more details on what happened, see the answer above this one. I encountered basically the same issues. – user8167940 Jun 15 '17 at 20:37
    • I found this may be it will be helpful http://dev.wavemaker.com/wiki/bin/wmdoc_6.5/JavaScript#HExecutingJavaScriptonPageLoading – Riaz Laskar Jun 15 '17 at 20:53
    1

    In Avatao's Senior Web Security Career Path, there is a hacking task, where you need to insert malicious javascript code - but the <script> is tag filtered (other tags aren't). Aenadon's answer gived me one solution:

    <body onload="your JS here"> </body>

    After submitting that, I checked the official solution, and I found that:

    <img src="x" onerror=alert('xss')>
    DaWe
    • 1,422
    • 16
    • 26