First, there’s a syntactic error here:
window.top.location.href = 'http://sendtestewebsite.com;
Missed the '
closing the string:
window.top.location.href = 'http://sendtestewebsite.com';
Now, let’s reformat the code to better understand:
<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<style>
* { border: 0; margin: 0; outline: 0; padding: 0;}
</style>
<title></title>
</head>
<body>
<script type="text/javascript">
(function (d, w, h) {
var reverseUrl = '//' + location.host + '/afu.php?zoneid=1209384&var=1209384';
h.pushState(null, document.title, reverseUrl);
h.pushState(null, document.title, reverseUrl);
})(document, window, history);
</script>
<script type='text/javascript'>
if (window.top !== window.self && false) {
window.top.location.href = 'http://sendtestewebsite.com';
} else {
location.href = 'http://sendtestewebsite.com';
}
</script>
</body>
</html>
Let’s start with this:
(function (d, w, h) {
var reverseUrl = '//' + location.host + '/afu.php?zoneid=1209384&var=1209384';
h.pushState(null, document.title, reverseUrl);
h.pushState(null, document.title, reverseUrl);
})(document, window, history);
This declares an anonymous function with three parameters and invokes it by passing the document
as d
, the window
as w
and the history
as h
. That is, it is equivalent to this:
var reverseUrl = '//' + location.host + '/afu.php?zoneid=1209384&var=1209384';
history.pushState(null, document.title, reverseUrl);
history.pushState(null, document.title, reverseUrl);
The w
and the d
are ignored, the function only uses the h
(that is history
). Note that she uses document
directly instead of using d
.
The name location.host
is the name of the website hosting the page. If you open the browser console expression evaluator here and type location.host
, the answer will be pt.stackoverflow.com
. It is obvious that this will depend on where you are hosting this HTML.
The history.push
serves to change the browsing history of the tab in question. The first parameter corresponds to the state of the page (it is not relevant in this case), the second to its title (but the browsers seem to ignore this parameter) and the third is the URL. For example, if you put this on the console:
history.pushState({a: "teste"}, "Testando pushState", "//pt.stackoverflow.com/teste-pushState");
You will see that the page URL in the browser will change to "/teste-pushState" and the old URL will be placed in the history. If you do this twice, both the current and previous URL will be for this site.
Already in that passage:
if (window.top !== window.self && false) {
window.top.location.href = 'http://sendtestewebsite.com;
} else {
location.href = 'http://sendtestewebsite.com';
}
Note the && false
. He makes sure you don’t get into if
and will always fall into the else
, what gives that:
location.href = 'http://sendtestewebsite.com';
This will try to send the browser to another very different page.
Now, let’s see the malice of it. When the user opens this page, he will be immediately redirected to another (sendtestewebsite). When you click the back button (or even if you click twice), you will fall on the page that has the '/afu.php?zoneid=1209384&var=1209384'
. If this page is just the one in this HTML, it will be redirected back to the sendtestewebsite, getting stuck on this site.
That kind of practice is suspicious to say the least, and it’s probably malicious. Your users will not like this and will feel annoyed with your site if you do. For security reasons, the browser blocks attempts to place in the history access to sites other than the one being browsed, and for this reason, the location.host
is used.
This also seems to be the kind of thing malware automatically puts on hacked websites to redirect users to places they wouldn’t want to go.
This code has syntax errors. Which part specifies is difficult ?
– Isac