W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Philip TAYLOR <Philip-and-LeKhanh@Royal-Tunbridge-Wells.Org>
Date: Mon, 11 Aug 2008 14:33:21 +0100
Message-ID: <48A03FA1.8060605@Royal-Tunbridge-Wells.Org>
To: Toby A Inkster <tai@g5n.co.uk>
CC: public-html@w3.org

If "return" were allowed there (is it ?  It is
not within a function), then surely the string
returned should be treated as the URL of the
JavaScript file to be loaded/executed, as in :

<p>An in-line script :
	<script src="javascript:return './demo.js'">
	</script>
</p>
</body>
</html>

Philip TAYLOR
--------
Toby A Inkster wrote:
> 
> This is nasty, I know, but what about:
> 
> <script src="javascript:return 'window.alert(&quot;hello&quot;)';">
> </script>
> 
> i.e. the 'javascript:' URI is executed and returns a string, the string 
> returned is then treated as if it were the contents of the <script> 
> element. Nasty though it is, that seems to be more consistent with how 
> the 'javascript:' protocol is handled in 'href'.
> 
> --Toby A Inkster
> <mailto:mail@tobyinkster.co.uk>
> <http://tobyinkster.co.uk>
> 
> 
> 
> 
Received on Monday, 11 August 2008 13:34:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:21 GMT