- From: Justin James <j_james@mindspring.com>
- Date: Mon, 11 Aug 2008 09:58:29 -0400
- To: "'Toby A Inkster'" <tai@g5n.co.uk>, <public-html@w3.org>
I agree, it would be much more consistent for a javascript: protocol item in the src to be executed as JavaScript. In fact, I would content that: <img src="javascript:..." /> should be allowed, provided that the JavaScript provides binary data (whether from generating it itself, downloading an image, etc) of an allowed image content type! Consistency is a beautiful thing, it means that when someone tries to "push the envelope" that there is enough paper and glue to let it happen, and at the same time, if someone wants to do something colossally stupid (as <script src="javascript:..."> would be most of the time), it does not blow up in their face but works as expected. J.Ja > -----Original Message----- > From: public-html-request@w3.org [mailto:public-html-request@w3.org] On > Behalf Of Toby A Inkster > Sent: Monday, August 11, 2008 9:23 AM > To: public-html@w3.org > Subject: Re: <script src=javascript:"..."> should do nothing > > > This is nasty, I know, but what about: > > <script src="javascript:return 'window.alert("hello")';"> > </script> > > i.e. the 'javascript:' URI is executed and returns a string, the > string returned is then treated as if it were the contents of the > <script> element. Nasty though it is, that seems to be more > consistent with how the 'javascript:' protocol is handled in 'href'. > > -- > Toby A Inkster > <mailto:mail@tobyinkster.co.uk> > <http://tobyinkster.co.uk> > >
Received on Monday, 11 August 2008 13:59:21 UTC