W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 12 Aug 2008 09:25:28 +0000 (UTC)
To: public-html@w3.org
Message-ID: <Pine.LNX.4.62.0808120925160.5136@hixie.dreamhostps.com>


On Tue, 12 Aug 2008, Philip TAYLOR wrote:
>
> I cannot agree with "for compatibility with existing User Agents" : 
> testing Simon Pieters original example
> 
> 	<script src=javascript:"alert(1)"></script>
> 
> in SeaMonkey 1.1.11, I see an alert.

IE7/IE8b1, Firefox 3, Safari 3.1, and Opera 9.50 are my baseline and are 
basically all that I care about, since they account for over 99% of the 
browser install base.

Having said that, it surprises me that SeaMonkey would have a different 
behaviour than Firefox. Are they using an obsolete Gecko branch or 
something? If Gecko actually changed behaviour from 1.8 to 1.9, that would 
be even more evidence that there is a good reason for the change.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 12 August 2008 09:26:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:21 GMT