W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Toby A Inkster <tai@g5n.co.uk>
Date: Mon, 11 Aug 2008 14:22:36 +0100
Message-Id: <31CBA0B0-35CB-4B1B-B216-408DF5409B58@g5n.co.uk>
To: public-html@w3.org

This is nasty, I know, but what about:

<script src="javascript:return 'window.alert(&quot;hello&quot;)';">
</script>

i.e. the 'javascript:' URI is executed and returns a string, the  
string returned is then treated as if it were the contents of the  
<script> element. Nasty though it is, that seems to be more  
consistent with how the 'javascript:' protocol is handled in 'href'.

-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>
Received on Monday, 11 August 2008 13:23:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:21 GMT