Wednesday, November 22nd, 2006
Dr Nic Williams has written up a piece on how to embed your components on another site using a XSS approach instead of an iframe one.
The tutorial goes though:
The user will load up the webpage (e.g. Ajaxian mock page) that has a small <script src=”http://yoursite.com/magic_xss.jsâ€></script> snippet in it . When the page is loaded, the magic_xss.js file is loaded too. The user doesnâ€™t know nor care.
When the magic_xss.js file is loaded it will do a couple of things:
- Install any stylesheets it needs
- Insert an empty, invisible HTML element into the page (e.g. <div id=”my_magic_xss” />).
- Read in any variables (e.g. Google Adsense requires the website owner to specify a number of variables, such as google_ad_format)
- Insert new HTML into the #my_magic_xss element based on the data that is returned from your own server. Your server – not the host websiteâ€™s server.
Posted by Dion Almaer at 9:04 am