- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 11 Aug 2008 19:49:03 +0000 (UTC)
- To: Toby A Inkster <tai@g5n.co.uk>
- Cc: public-html@w3.org
On Mon, 11 Aug 2008, Toby A Inkster wrote: > > This is nasty, I know, but what about: > > <script src="javascript:return 'window.alert("hello")';"> > </script> > > i.e. the 'javascript:' URI is executed and returns a string, the string > returned is then treated as if it were the contents of the <script> > element. Nasty though it is, that seems to be more consistent with how > the 'javascript:' protocol is handled in 'href'. This isn't really about what we want, it's about what browsers do. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 August 2008 19:49:51 UTC