- From: Philip TAYLOR <Philip-and-LeKhanh@Royal-Tunbridge-Wells.Org>
- Date: Tue, 12 Aug 2008 10:11:57 +0100
- To: Ian Hickson <ian@hixie.ch>
- CC: Boris Zbarsky <bzbarsky@MIT.EDU>, Justin James <j_james@mindspring.com>, 'Toby A Inkster' <tai@g5n.co.uk>, public-html@w3.org
I cannot agree with the assertion "for
compatibility with existing User Agents" :
testing Simon Pieters' original example
<script src=javascript:"alert(1)"></script>
in SeaMonkey 1.1.11, I see an alert.
Philip TAYLOR
--------
Ian Hickson wrote:
> Actually right now the spec specifically says that javascript: in <script src=""> does nothing, for compatiblity with existing UAs. (I doubt that the three biggest UAs would all ignore javascript: in this one specific case if there wasn't content relying on that, so it seems unwise to not also require this in the spec.)
Received on Tuesday, 12 August 2008 09:12:41 UTC