W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 11 Aug 2008 13:59:21 -0400
Message-ID: <48A07DF9.7070303@mit.edu>
To: Toby A Inkster <tai@g5n.co.uk>
CC: public-html@w3.org

Toby A Inkster wrote:
> This is nasty, I know, but what about:
> 
> <script src="javascript:return 'window.alert(&quot;hello&quot;)';">
> </script>

Other than the misplaced |return| statement, this can certainly be made 
to work, subject to UA security restrictions.

The question is why you'd care to make this work, of course...  There is 
no use case I can think of here.

-Boris
Received on Monday, 11 August 2008 18:09:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:21 GMT