Philip TAYLOR wrote: > <script src=javascript:"alert(1)"></script> > > in SeaMonkey 1.1.11, I see an alert. Between Gecko 1.8 and Gecko 1.9, javascript: handling was changed drastically. In the new world, we only execute the script under certain conditions, which include knowing where it came from. Right now, the "where did it come from?" information is only propagated through in a few places: iframes/frames/windows and stylesheets. All other uses of javascript: don't execute in Gecko 1.9, where they did in Gecko 1.8 (simple to test with <img>; you just have to have a script that doesn't try to touch the Window object). We consider this a bug and want to move towards propagating the origin information through everywhere. At that point we'll need to special-case <script src="javascript:..."> to get the behavior HTML5 currently requires. -BorisReceived on Tuesday, 12 August 2008 17:13:51 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:32:38 GMT