- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 12 Aug 2008 13:13:00 -0400
- To: Philip TAYLOR <Philip-and-LeKhanh@Royal-Tunbridge-Wells.Org>
- CC: Ian Hickson <ian@hixie.ch>, public-html@w3.org
Philip TAYLOR wrote: > <script src=javascript:"alert(1)"></script> > > in SeaMonkey 1.1.11, I see an alert. Between Gecko 1.8 and Gecko 1.9, javascript: handling was changed drastically. In the new world, we only execute the script under certain conditions, which include knowing where it came from. Right now, the "where did it come from?" information is only propagated through in a few places: iframes/frames/windows and stylesheets. All other uses of javascript: don't execute in Gecko 1.9, where they did in Gecko 1.8 (simple to test with <img>; you just have to have a script that doesn't try to touch the Window object). We consider this a bug and want to move towards propagating the origin information through everywhere. At that point we'll need to special-case <script src="javascript:..."> to get the behavior HTML5 currently requires. -Boris
Received on Tuesday, 12 August 2008 17:13:51 UTC