I would like to add a JavaScript <script></script>
tag, containing or sourcing untrusted code, to web pages PhantomJS visits, and have the page behave as if the page originally included the tag.
includeJs()
/injectJs()
do not do what I need - they inject code into my PhantomJS environment, but I need my code injected into the web page. Further, these functions expose my PhantomJS local variables to the untrusted code, which I do not want.
evaluate()
does not do what I need either, as it will not take a string containing untrusted JavaScript. Instead, it expects my PhantomJS script to include a function I wrote.
How can I inject untrusted JavaScript into a web page I visit with PhantomJS?
It turns out
page.evaluate()
accepts arguments that are passed to your JavaScript function. Capitalizing on that, I was able to pass the actual JavaScript I want to run on my page into a function run frompage.evaluate()
which injects a script block into the page: