W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Toby A Inkster <tai@g5n.co.uk>
Date: Mon, 11 Aug 2008 14:22:36 +0100
Message-Id: <31CBA0B0-35CB-4B1B-B216-408DF5409B58@g5n.co.uk>
To: public-html@w3.org

This is nasty, I know, but what about:

<script src="javascript:return 'window.alert(&quot;hello&quot;)';">

i.e. the 'javascript:' URI is executed and returns a string, the  
string returned is then treated as if it were the contents of the  
<script> element. Nasty though it is, that seems to be more  
consistent with how the 'javascript:' protocol is handled in 'href'.

Toby A Inkster
Received on Monday, 11 August 2008 13:23:41 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:37 UTC