On Mon, 11 Aug 2008, Toby A Inkster wrote: > > This is nasty, I know, but what about: > > <script src="javascript:return 'window.alert("hello")';"> > </script> > > i.e. the 'javascript:' URI is executed and returns a string, the string > returned is then treated as if it were the contents of the <script> > element. Nasty though it is, that seems to be more consistent with how > the 'javascript:' protocol is handled in 'href'. This isn't really about what we want, it's about what browsers do. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'Received on Monday, 11 August 2008 19:49:51 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:19 GMT