Decompressing script injected scripts

Orde Saunders' avatarPublished: by Orde Saunders

When I previously looked at script injected scripts it was in reference to putting the scripts in the server sent markup. Whilst this is good for our main functionality like analytics or the tag manager. However, when we get into adding scripts via the tag manager keeping the script injected script markup is usually a better idea for a couple of reasons:

  • Once a tag manager is running and injecting scripts the performance benefits of the direct <script src="..." defer/> tag are not longer a factor.
  • There's less chance of introducing an error by decompressing a script provided in this format.

That said, when we first get a script to add it's always worth going over a script and doing the decompression to check what we're implementing. A typical script we will be given by a third party might look like this:

<script>(function(a,b,c,d,e,f,g){e['xmpl_o']=c;e[c]= e[c]||function(){(e[c].a=e[c].a||[]).push(arguments)};f=d.createElement(b);g=d.getElementsByTagName(b)[0];f.async=1;f.src=a;g.parentNode.insertBefore(f,g);})('//tracking.example.com/tracking.js','script','xmpl',document,window);</script>

Now this looks pretty standard but there's more than just a script injected script going on here. A basic decompression gives us the following:

<script>
(function(a, b, c, d, e, f, g) {
    window['xmpl_o'] = 'xmpl';
    window['xmpl'] = window['xmpl'] || function() {
        (window['xmpl'].'//tracking.example.com/tracking.js' = window['xmpl'].'//tracking.example.com/tracking.js' || []).push(arguments);
    };
    f=document.createElement('script');
    g=document.getElementsByTagName('script')[0];
    f.async=1;
    f.src= '//tracking.example.com/tracking.js';
    g.parentNode.insertBefore(f,g);
})('//tracking.example.com/tracking.js','script','xmpl',document,window);
</script>

In this case the script is creating its own array into which its storing some information about how it was called. Now the obvious disclaimer here is that we're injecting a script into the page and it can then do whatever it likes but we're doing our due diligence to check there's nothing shady, such as modifying the script URL, going on.

Having checked the decompressed script we can now add the original compressed version into our tag manager and test it's working.

If you'd like some help with tag management for your site please get in touch.