This document discusses JavaScript SEO and cross-site scripting (XSS) vulnerabilities. It notes that Googlebot, the web crawler used by Google, now uses Chrome to render JavaScript for indexing purposes. However, this opens up the potential for XSS attacks that allow manipulation of Google's search index. The document provides examples of how XSS vulnerabilities in HTML applications or parameters could allow injecting JavaScript code that would be executed by Googlebot.

1. JavaScript SEO XSS
taskey

2. 1.

3. We Are JavaScripters! :))

4. We Are JavaScripters! :))

5. <script type="application/ld+json">
{
"@context": "http://schema.org/",
"@type": "Person",
"name": "Masakazu Fukami",
"job": “CTO",
"twitter": "@fukamiiiiinmin",
"company": “taskey inc.”,
"favorites": ["SEO", " "]
}
</script>

6. / /

7. SEO

11. SEO
•
• DB

12. ※SEO 2
•
•
•
•
•
•

13. ※SEO 2
•
•
•
•
•
•

14. Google
• SSR 1 html
• etc) wordpress
• SPA ajax
• etc) React, Vue

15. • SSR 1 html
• etc) wordpress
• SPA ajax
• etc) React, Vue
SEO

16. • SSR 1 html
• etc) wordpress
• SPA ajax
• etc) React, Vue
SEO

17. JS Google Bot

18. Google bot
JS

19. Google bot
JS

20. Google bot
Chrome 41

23. Google I/O 2019

25. • Google Bot WRS Website Rendering
System
•

27. JS SEO

28. SPA

29. NO

30. Rendering Queue
&
Rendering Badget

31. Render Queue
• html
: SSR

32. Render Badget
• Google
• CSR
• UGC SSR
:

33. SSR
Google

34. WRS RE
🤔

35. 1

36. Google 5

37. Google

38. XSS
Cross Site Scripting

39. : XSS attacks on Googlebot allow search index manipulation

40. 1: XSS
• Chrome XSS
XSS
• open -na Google Chrome Canary --args --
disable-xss-auditor

41. 2: HTML App
&HTML params
• Ruby on Rails
• <%= params[:page] %> <%==
params[:page] %> HTML

42. host?page=[javascript]
• host?page=<script>alert(‘aaa’)</script>
• host?page=<script>document.body.inner
Text=' ';</
script>

45. JavaScript SEO XSS
taskey