0

The company which developped my website just added this javascript code on the Zend Guard encrypted index.php file (I saw it with "View source") :

(function ()
{
    var smrs = document.createElement("script");
    smrs.type = "text/javascript";
    smrs.async = true;
    smrs.src = document.location.protocol + "//www.domain.com/file.js";
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(smrs, s);
})();

It injects a very agressive javascript code which adds a image link to their website (with a SetInterval each 10sec), at the bottom of the page.

The problem ? A local competitor, which is currently being accused of significant fraud, have the same CMS and the same image link.

Being associated with that competitor is prejudicial for me. I would like to know if there is a way to block the "www.domain.com/file.js" loading with a .htaccess.

Thanks.

Improve this question
7
  • Can't you just remove it from the code? Commented Dec 14, 2012 at 14:57
  • @Quentin : it is not a duplicate as nobody is calling a JS from my server. Commented Dec 14, 2012 at 15:01
  • @epascarello : the code is obfuscated. I can't edit it. Commented Dec 14, 2012 at 15:01
  • @AsKaiser - So you want to prevent a website you don't control from loading JavaScript from another website you don't control? That's is, thankfully, impossible. Commented Dec 14, 2012 at 15:10
  • @Quentin : It is my website. Despite the fact that the index.php is obfuscated, I have control on a custom JS file and parts of HTML. I added a SetInterval function which delete every second the mark. It is ugly, but I have no other solution, yet. Commented Dec 14, 2012 at 15:19

1 Answer 1

Reset to default
2

You can't (using htaccess). This javascript creates a script tag to load the external javascript. The call never passes through the server. So apache (htaccess) can't block that.

The easiest way is to search in the source code and remove the script (if you have access).

UPDATE:

I see the script is encrypted... If you can insert a script at the very beginning (before the code gets executed you can create a hook on the insertBefore method. Here is a working fiddle

var ALLOWED_DOMAINS = ['www.klaartjedevoecht.be', 'jsfiddle.net'];
function creatHook(){
    function getDomain(url) {
       return url.match(/:\/\/(.[^/]+)/)[1];
    }
    var insertBefore = Element.prototype.insertBefore;
    Element.prototype.insertBefore = function(new_node,existing_node){
        if(new_node.tagName.toLowerCase() === 'script' && ALLOWED_DOMAINS.indexOf(getDomain(new_node.src)) > -1){
            insertBefore.call(this, new_node, existing_node);
        }
    }
}
creatHook();

//TESTING CODE:

var smrs = document.createElement("script");
    smrs.type = "text/javascript";
    smrs.async = true;
    smrs.src = document.location.protocol + "//www.klaartjedevoecht.be/test.js";

//var smrs = document.createElement("img");
//    smrs.src= "http://img52.imageshack.us/img52/7653/beaverl.gif";

var s = document.getElementsByTagName("div")[0];
    s.parentNode.insertBefore(smrs, s);

​I agree it's a bit hacking, but at least its cleaner then the timer solution. If you can't remove it, there is no clean solution.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.