W3C home > Mailing lists > Public > public-html@w3.org > August 2008

RE: <script src=javascript:"..."> should do nothing

From: Justin James <j_james@mindspring.com>
Date: Mon, 11 Aug 2008 09:58:29 -0400
To: "'Toby A Inkster'" <tai@g5n.co.uk>, <public-html@w3.org>
Message-ID: <00c001c8fbba$557a5af0$006f10d0$@com>

I agree, it would be much more consistent for a javascript: protocol item in
the src to be executed as JavaScript. In fact, I would content that:

<img src="javascript:..." />

should be allowed, provided that the JavaScript provides binary data
(whether from generating it itself, downloading an image, etc) of an allowed
image content type!

Consistency is a beautiful thing, it means that when someone tries to "push
the envelope" that there is enough paper and glue to let it happen, and at
the same time, if someone wants to do something colossally stupid (as
<script src="javascript:..."> would be most of the time), it does not blow
up in their face but works as expected.

J.Ja

> -----Original Message-----
> From: public-html-request@w3.org [mailto:public-html-request@w3.org] On
> Behalf Of Toby A Inkster
> Sent: Monday, August 11, 2008 9:23 AM
> To: public-html@w3.org
> Subject: Re: <script src=javascript:"..."> should do nothing
> 
> 
> This is nasty, I know, but what about:
> 
> <script src="javascript:return 'window.alert(&quot;hello&quot;)';">
> </script>
> 
> i.e. the 'javascript:' URI is executed and returns a string, the
> string returned is then treated as if it were the contents of the
> <script> element. Nasty though it is, that seems to be more
> consistent with how the 'javascript:' protocol is handled in 'href'.
> 
> --
> Toby A Inkster
> <mailto:mail@tobyinkster.co.uk>
> <http://tobyinkster.co.uk>
> 
> 
Received on Monday, 11 August 2008 13:59:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:57 UTC