W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 12 Aug 2008 09:00:42 +0200
To: "Garrett Smith" <dhtmlkitchen@gmail.com>, "Simon Pieters" <simonp@opera.com>
Cc: public-html <public-html@w3.org>
Message-ID: <op.ufrhrgm064w2qv@annevk-t60.oslo.opera.com> 

On Tue, 12 Aug 2008 08:52:55 +0200, Garrett Smith <dhtmlkitchen@gmail.com>  
wrote:
> On 10/12/07, Simon Pieters <simonp@opera.com> wrote:
>>
>>  Consider the following:
>>
>>    <script src=javascript:"alert(1)"></script>
>>
>>  In Firefox, Opera, Safari and IE, the script of the resulting text/html
>> document "alert(1)" is not executed. The spec should reflect this  
>> (probably
>> in the "The javascript: protocol" section).
>
> How is:-
>
> "alert(1)"
>
> a text/html document?
>
> What it looks like is a string value in a javascript: pseudo url.

The return value of executing the script is treated as a text/html  
resource:

   http://www.whatwg.org/specs/web-apps/current-work/#javascript-protocol

(The section Simon referenced in his e-mail.)

Example:

   javascript:"<h1>x</h1>"


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 12 August 2008 07:00:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:19 GMT