W3C home > Mailing lists > Public > www-html@w3.org > February 2000

RE: javascript scheme in href URLs

From: Dave J Woolley <DJW@bts.co.uk>
Date: Tue, 8 Feb 2000 17:18:14 -0000
Message-ID: <81E4A2BC03CED111845100104B62AFB53F3FEE@stagecoach.bts.co.uk>
To: "'www-html@w3.org'" <www-html@w3.org>
> From:	Simon St.Laurent [SMTP:simonstl@simonstl.com]
> I can't find any express prohibition of:
> <a href="javascript:myFunction()">
> in HTML 4.01 or in XHTML 1.0.  The references for URL and URI date back to
> 1994 and 1995, and don't make reference of this technique.  Is this
> officially discouraged in favor of the event attributes? 
	URI's are extensible, so this could be valid.  However the
	use of such URIs makes it difficult to produce HTML
	with good accessiblity characteristics - you end up with
	pages that only work for people with recent browsers who
	ignore CERT Advisory CA-2000-02.

	Preferably, if you are going to use Javascript and it isn't
	fundamentally++ required for the applications (true of most
	commercial web sites using javascript:) your links should be
	normal links and any Javascript effects should be achieved by
	intercepting the onclick or onsubmit events, such that, with
	the Javascript inactive, the page is still completely usable.
	That's my view, anyway.

	I sometimes use Lynx, which has no Javascript support, or even
	Amaya, and with IE4+ and NS I ran with Javascript disabled even
	before the Microsoft security alert on IE5 and the above CERT

	++ NB, you should never rely on client side validation alone,
	as it is easy to re-write pages to bypass the validation, so 
	using Javascript to validate client side should be treated as 
	added value, not as fundamental to the operation of the page.
Received on Tuesday, 8 February 2000 12:22:56 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:05:52 UTC