W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 11 Aug 2008 19:49:03 +0000 (UTC)
To: Toby A Inkster <tai@g5n.co.uk>
Cc: public-html@w3.org
Message-ID: <Pine.LNX.4.62.0808111948450.5136@hixie.dreamhostps.com>

On Mon, 11 Aug 2008, Toby A Inkster wrote:
> 
> This is nasty, I know, but what about:
> 
> <script src="javascript:return 'window.alert(&quot;hello&quot;)';">
> </script>
> 
> i.e. the 'javascript:' URI is executed and returns a string, the string 
> returned is then treated as if it were the contents of the <script> 
> element. Nasty though it is, that seems to be more consistent with how 
> the 'javascript:' protocol is handled in 'href'.

This isn't really about what we want, it's about what browsers do.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 August 2008 19:49:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:57 UTC