W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Philip TAYLOR <Philip-and-LeKhanh@Royal-Tunbridge-Wells.Org>
Date: Tue, 12 Aug 2008 10:11:57 +0100
Message-ID: <48A153DD.1000600@Royal-Tunbridge-Wells.Org>
To: Ian Hickson <ian@hixie.ch>
CC: Boris Zbarsky <bzbarsky@MIT.EDU>, Justin James <j_james@mindspring.com>, 'Toby A Inkster' <tai@g5n.co.uk>, public-html@w3.org

I cannot agree with the assertion "for
compatibility with existing User Agents" :
testing Simon Pieters' original example

     <script src=javascript:"alert(1)"></script>

in SeaMonkey 1.1.11, I see an alert.

Ian Hickson wrote:

 > Actually right now the spec specifically says that javascript: in <script src=""> does nothing, for compatiblity with existing UAs. (I doubt that the three biggest UAs would all ignore javascript: in this one specific case if there wasn't content relying on that, so it seems unwise to not also require this in the spec.)
Received on Tuesday, 12 August 2008 09:12:41 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:37 UTC