Re: <script src=javascript:"..."> should do nothing

I cannot agree with the assertion "for
compatibility with existing User Agents" :
testing Simon Pieters' original example

     <script src=javascript:"alert(1)"></script>

in SeaMonkey 1.1.11, I see an alert.

Philip TAYLOR
--------
Ian Hickson wrote:

 > Actually right now the spec specifically says that javascript: in <script src=""> does nothing, for compatiblity with existing UAs. (I doubt that the three biggest UAs would all ignore javascript: in this one specific case if there wasn't content relying on that, so it seems unwise to not also require this in the spec.)

Received on Tuesday, 12 August 2008 09:12:41 UTC