W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2011

[whatwg] Javascript: URLs as element attributes

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 06 Jun 2011 17:12:28 -0700
Message-ID: <4DED6CEC.9030809@mit.edu>
On 6/6/11 4:45 PM, Ian Hickson wrote:
>>    data:text/html,<body onload="alert(window[0].location)"><iframe src="javascript:''">
>
> Woah, funky. (Gecko thinks the location is "javascript:''".)

Well... it sort of is.  ;)

>>> It's defined; see the section on the<onject>  element.
>>
>> I've read that section, in fact.  I couldn't make sense of what behavior
>> it actually called for.  Has it changed recently (last few months) to
>> become clearer such that rereading would be worthwhile?
>
> Not as far as I'm aware. Could you elaborate on how it is confusing? I'm
> eager to make this understandable!

I'll try reading it again and taking notes, I guess.  When I can find 
time to.  :(  The latency is killing us here.

> Since Gecko seems to be alone in this weird behaviour, I haven't specced
> it. I couldn't find any other effect (e.g. the input seems to always be
> treated as Unicode, not converted to bytes and redecoded, regardless of
> what I make it look like, including UTF-16 and UTF-8).

You can detect other effects by seeing what unescape() does in the 
resulting document, iirc.  As well as URIs including %-encoded bytes and 
so forth.  Also you can detect what charset is used for stylesheets 
included by the document that don't declare their own charset.  There 
are probably other places that use the document encoding.  Worth testing 
some of this stuff....

-Boris
Received on Monday, 6 June 2011 17:12:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:06 UTC