On 10/30/03 3:23 AM, "Rijk van Geijtenbeek" <rijk@iname.com> wrote: > > Hello Tantek, > > On Thursday, October 30, 2003 you wrote: > > >>> body { background: url("javascript:alert(\'Hello\ again!\ >>> (background)\')"); >>> } >>> >>> ...is possible right now, and shows a dialog in at least two browsers. > >> If you take something which is safe, mix it with something that is unsafe, >> you end up with a result that is unsafe. > > And if you disable JavaScript in Opera (with the F12 quick prefs), you > will not get the popup. No need to disable styling or go into user > mode. Precisely Rijk. The same thing happens in IE/Mac and IE/Windows. If you disable scripting (in IE5/Mac uncheck "Enable scripting", in IE6/Windows Internet Options, Security, Custom..., Security Settings, choose the "Disable" radio button under "Active scripting") you will not get the popup(s). No need to disable styling. > This can be used to support both sides of the argument though ;) I don't see how, seeing how CSS without javascript in this case works fine, and adding javascript causes problems, therefore javascript is the problem. TantekReceived on Thursday, 30 October 2003 06:52:49 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:24 GMT