W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 12 Aug 2008 13:13:00 -0400
Message-ID: <48A1C49C.1010209@mit.edu>
To: Philip TAYLOR <Philip-and-LeKhanh@Royal-Tunbridge-Wells.Org>
CC: Ian Hickson <ian@hixie.ch>, public-html@w3.org

Philip TAYLOR wrote:
>     <script src=javascript:"alert(1)"></script>
> 
> in SeaMonkey 1.1.11, I see an alert.

Between Gecko 1.8 and Gecko 1.9, javascript: handling was changed 
drastically.  In the new world, we only execute the script under certain 
conditions, which include knowing where it came from.

Right now, the "where did it come from?" information is only propagated 
through in a few places: iframes/frames/windows and stylesheets.  All 
other uses of javascript: don't execute in Gecko 1.9, where they did in 
Gecko 1.8 (simple to test with <img>; you just have to have a script 
that doesn't try to touch the Window object).

We consider this a bug and want to move towards propagating the origin 
information through everywhere.  At that point we'll need to 
special-case <script src="javascript:..."> to get the behavior HTML5 
currently requires.

-Boris
Received on Tuesday, 12 August 2008 17:13:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:57 UTC