3

I have a line of code: 

Response.write("<script language=""text/JavaScript"">alert(""What up dog"");</script>")

This doesn't work. I see no alert box, yet I see the page source has written the code correctly:

<script language="text/JavaScript">alert("What up dog");</script>

What I'm actually trying to do is this: 

Response.write("<script language=""text/JavaScript"">document.cookie = '" & Cookie & " = ; expires=Thu, 01 Jan 1970 00:00:01 GMT;';</script>")

That is: Delete a cookie with the name stored in the ASP variable 'cookie'. This doesn't work either, which is why I'm attempting to create the alert box just to test where I'm screwing up.

I've tried deleting the cookie with pure ASP (Response.cookie(Cookie).expires = Now() - 1), but since I made the cookie with JavaScript, it's not HTTPOnly so I can't access it with ASP. (I just learned this, so I'm not 100% on the why of it all, but there it is.)

So, back to the first line of code, why am I not seeing a JavaScript alert box with that line of code? I'm obviously missing something simple (it's always something simple).

JGGR13
  • 55
  • 1
  • 1
  • 5
  • 1
    You should be able to access the cookie from the server, HTTP-Only or not. – Pointy Jan 22 '13 at 13:59
  • 1
    When is the first line processed? JavaScript won't just run when injected into the page. It needs an event to trigger it. – isherwood Jan 22 '13 at 13:59
  • 1
    Similiar http://stackoverflow.com/questions/11556025/javascript-function-says-that-is-undefined – Musa Jan 22 '13 at 14:00
  • @Pointy: http://stackoverflow.com/questions/4999360/how-do-i-set-the-httponly-flag-of-a-cookie-with-javascript <-- That's where I gleamed that tidbit of information. – JGGR13 Jan 22 '13 at 14:14
  • @JGGR13 you made an incorrect inference - HTTPOnly means that only the server can read the cookies; if that's not set, then both the server and the client can read it. – Pointy Jan 22 '13 at 14:16
  • @Pointy: Fair enough. Sorry for the confusing, I'm (re)learning web dev. – JGGR13 Jan 22 '13 at 14:21
  • @isherwood What are you talking about? Of course you can run code that's injected. How else is code run? – Ian Jan 22 '13 at 14:29
  • @Ian, I didn't say injected code couldn't be run. I said it needs a trigger of some sort. You can't simply paste code into a page after load and expect it to do anything. Hence my initial question. – isherwood Jan 22 '13 at 14:55
  • @isherwood And I don't understand what you mean by "it needs a trigger of some sort". If you put a block of ` – Ian Jan 22 '13 at 15:07
  • You're correct. I misunderstood what was happening in the OP. – isherwood Jan 22 '13 at 15:29

1 Answers1

7

The language="" attribute for <script/>-tags is deprecated and erroneous values prevent scripts from being executed in many browsers.

To me it looks like you were heading for the type="" attribute.

Try the following code:

Response.write("<script type=""text/javascript"">alert(""What up dog"");</script>")
Cobra_Fast
  • 15,671
  • 8
  • 57
  • 102
  • Thank you very much Cobra_Fast. Apparently it's been too damn long since I wrote anything for the web. Old dogs, new tricks and all that. And FTR: That solved my cookie deletion issue as well. – JGGR13 Jan 22 '13 at 14:12