If I have a directory structure like so
/
├── home
│ └── user
│ └── test.js
├── usr
│ └── bin
└── var
└── www
└── index.html
Putting aside folder permissions for the moment, if index.html had the following line
<script src="../../../home/user/test.js">
or
<script src="/home/user/test.js">
Would this be valid? If so, is there any way to prevent this so only nested folders can be reached (EDIT symbolic links must also be ignored)?
If I have a directory structure like so
/
├── home
│ └── user
│ └── test.js
├── usr
│ └── bin
└── var
└── www
└── index.html
Putting aside folder permissions for the moment, if index.html had the following line
<script src="../../../home/user/test.js">
or
<script src="/home/user/test.js">
Would this be valid? If so, is there any way to prevent this so only nested folders can be reached (EDIT symbolic links must also be ignored)?
Share Improve this question asked Nov 7, 2011 at 1:56 pukpuk 16.8k31 gold badges125 silver badges206 bronze badges3 Answers
Reset to default 3The browser will attempt to access whatever path is in the src attribute. You can restrict certain paths by setting file permissions through your web server (eg. Apache).
It is valid. It's the web server's job to serve or not to serve the file.
If you use /home/user/test.js however, that's usually relative to the document root, so it's equivalent to http://<host>/home/user/test.js.
<script src="/home/user/test.js">
would be valid. It would just use whatever domain was on the host web page and would start from the top level directory there. For example, if the host web page was:
http://www.example./projectA/test.html
then <script src="/home/user/test.js"> would generate a request for the file at this location:
http://www.example./home/user/test.js