W3C home > Mailing lists > Public > www-style@w3.org > October 2003

Re: CSS 4?

From: Tantek Çelik <tantek@cs.stanford.edu>
Date: Thu, 30 Oct 2003 03:49:18 -0800
To: Rijk van Geijtenbeek <rijk@iname.com>, <www-style@w3.org>
Message-ID: <BBC63A00.2F4D6%tantek@cs.stanford.edu>

On 10/30/03 3:23 AM, "Rijk van Geijtenbeek" <rijk@iname.com> wrote:

> 
> Hello Tantek,
> 
> On Thursday, October 30, 2003 you wrote:
> 
> 
>>>  body { background: url("javascript:alert(\'Hello\ again!\
>>> (background)\')");
>>> }
>>> 
>>> ...is possible right now, and shows a dialog in at least two browsers.
> 
>> If you take something which is safe, mix it with something that is unsafe,
>> you end up with a result that is unsafe.
> 
> And if you disable JavaScript in Opera (with the F12 quick prefs), you
> will not get the popup. No need to disable styling or go into user
> mode.

Precisely Rijk.

The same thing happens in IE/Mac and IE/Windows.  If you disable scripting
(in IE5/Mac uncheck "Enable scripting", in IE6/Windows Internet Options,
Security, Custom..., Security Settings, choose the "Disable" radio button
under "Active scripting") you will not get the popup(s).  No need to disable
styling.

> This can be used to support both sides of the argument though ;)

I don't see how, seeing how CSS without javascript in this case works fine,
and adding javascript causes problems, therefore javascript is the problem.

Tantek
Received on Thursday, 30 October 2003 06:52:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:24 GMT