For a while now we have been playing with heat mapping from a third party company, Click Density.
It works real well, and you can really see how your users are using your site (else they really wouldn't be users! - ed.). But with multiple sites under our belt and swathes of sites coming our way we wondered how easy it would be to create something that we could plug'n'play with.
Generic Handlers
.Net comes with a great file type called a generic handler (*.ashx) which allows you to send back to the requestor any type of file that you want to send back to them. This could be XML, JSON or even an image. But all we need to send back is Javascript.
At first we thought this would be cross domain scripting which is not allowed, but actually its just popping a URL onto someone's page and the Javascript would run.
<script src="http://where.your-generic-handler-is-hosted.com/js.ashx?clientId=2" type="text/javascript" language="javascript"></script>
But will we be able to inject HTML and Script tags into the page as well?
Injection? Yes please, but be kind.
It seems that when Javascript is "asked" to be on a page, you can basically do whatever you want - even being allowed to inject more Javascript and more HTML!!
string output = "function WriteClickDensity() { \n";
output += "document.write('<script type=\"text/javascript\" src=\"http://j.clickdensity.com/cr.js\"></script>');\n";
output += "document.write('<script type=\"text/javascript\">');\n";
output += "document.write('//<![CDATA[\\n');\n";
output += "document.write('var clickdensity_siteID = " + entity.ClickdensitySiteID + ";\\n');\n";
output += "document.write('var clickdensity_keyElement = \"" + entity.ClickdensityKeyElement + "\";\\n');\n";
output += "document.write('//]]>');\n";
output += "document.write('</script>');\n";
output += "\n} \nWriteClickDensity();\n";
Once this has been written to your page, and once the method has been called, the code will then add all the required Click Density code to your webpage. Voila! No problems and it works nicely. Now there is a lot of extra work to be done in the handler code - security checks, domain checks, etc - so that you won't be spammed, conned or just just giving away all your secrets to all and sundry (isn't that what you are doing here? - ed.). But it works, and works well.
By adding a simple database and admin functionality to the site hosting the generic handler, you can start to fine grain control all your client's websites. Any new websites can easily be added, and the Click Density code (or whoever it is you use) can be added to any website with simple Javascript:
<script src="http://where.your-generic-handler-is-hosted.com/js.ashx?clientId=2" type="text/javascript" language="javascript"></script>
And it doesn't matter if the site is a PHP, .net, Classic ASP, or even pure HTML. This also means you don't need to rely on a third party adding lots of Javascript and getting codes and what not's correct. One line and we do the rest of the work. Job done!