This test case tries to use unobtrusive javascript to inject a foreign javascript (such as hosted by advertisement and statistics services). Injecting the script itself is no problem (first test case). However, if the foreign javascript contains document.write() statements, some current browsers go awry (second test case). The problem lies in a combination of factors, one of which is the content mime type (application/xhtml+xml or text/html) and another is the way the document.write() statement is being abused. Hopefully this test case will show why authors should refactor their code to remove document.write() and replace it with methods like document.appendChild().
The script injected by this test case employs window.alert() to raise a message. It should not present any problems in any DOM-capable browser. The difference between application/xhtml+xml and text/html should not make a difference. After starting the script, this case should show an empty red-bordered box, followed by an alert raised from within the injected script. After dismissing the alert, the box border should be blue.
Test javascript injection:
Watch out! This case may crash Internet Explorer 7 and perhaps other browsers, too. Use at own risk! The script injected by this test case, employs document.write() to append information to current page, preferably into the boxed area below. This should fail in most current browsers if the content mime type is set to application/xhtml+xml. (Please also try this case as text/html.) After starting the script, this case should fill the box below with text created by the injected script, but only when this page is delivered as text/html. When delivered as application/xhtml+xml, no content should be added. When the script has ended, the box border should turn blue.
Test javascript injection:
Tested on MS Windows 2003 Server and XP Professional
| Content delivered as text/html instead of application/xhtml+xml, distinction made by querying HTTP_ACCEPT header. | |||
|---|---|---|---|
| Browser | Test case 1 | Test case 2 as application/xhtml+xml | Test case 2 as text/html |
| Safari 3 Beta | Fails * | Succeeds: shows nothing, but may mistakenly assume javascript is disabled ** | Fails: overwrites current document |
| Opera 9.5 Alpha | Succeeds | Succeeds: shows nothing | Fails: shows nothing |
| Opera 9.23 | Succeeds | Succeeds: shows nothing, but may mistakenly assume javascript is disabled | Fails: shows nothing |
| K-Meleon 1.02 | Succeeds | Succeeds: shows nothing | Fails: overwrites current document |
| Internet Explorer 7 | Succeeds | Not applicable | Fails: shows nothing and may get stuck in endless loop |
| Internet Explorer 6 | Succeeds | Not applicable | Fails: shows nothing |
| Firefox 3 Alpha | Succeeds | Succeeds: shows nothing | Fails: shows nothing |
| Firefox 2.0.0.6 | Succeeds | Succeeds: shows nothing | Fails: overwrites current document |
| * | Succeeds when content delivered as text/html instead of application/xhtml+xml. | ||
| ** | Script support recognised correctly when content delivered as text/html. | ||