[whatwg] Javascript: URLs as element attributes from Cris Neckar on 2010-08-11 (public-whatwg-archive@w3.org from August 2010)

From: Cris Neckar <cdn@chromium.org>
Date: Wed, 11 Aug 2010 16:58:51 -0700
Message-ID: <AANLkTikQLmHNv_nLBjUBrSDXdaTJR3=qAs2uxX09X6Nm@mail.gmail.com>

Resending from the correct address

---------- Forwarded message ----------
From: Cris Neckar <cdn@google.com>
Date: Wed, Aug 11, 2010 at 11:57 AM
Subject: Javascript: URLs as element attributes
To: whatwg at whatwg.org
Cc: bzbarsky at mit.edu

The HTML5 Spec is somewhat ambiguous on the handling of javascript:
URLs when supplied as attributes to different elements. It does not
specifically prohibit handling them in most cases but I was wondering
if this has been discussed and whether there is consensus on correct
behavior.

There are several areas of the spec that specifically reference the
use of javascript: URLs as the "src" attribute for "img" nodes but
this is not universal.

For example see http://dev.w3.org/html5/spec/Overview.html#introduction-3

6.1.1
"Processing of inline javascript: URLs (e.g. the src attribute of img
elements, or an @import rule in a CSS style element block)."

And http://dev.w3.org/html5/spec/Overview.html#javascript-protocol

6.1.5
"So for example a javascript: URL for a src attribute of an img
element would be evaluated in the context of an empty object as soon
as the attribute is set; it would then be sniffed to determine the
image type and decoded as an image."

Browsers currently deal with these in a fairly ad-hoc way. I used the
following to test a few examples in various browsers.

? ?<embed src="javascript:alert('embed-src');"></embed>
? ?<embed src="http://none"
pluginurl="javascript:alert('embed-pluginurl');"></embed>
? ?<object classid="javascript:alert('object-classid');"></object>
? ?<object archive="javascript:alert('object-archive');"></object>
? ?<object data="javascript:alert('object-data');"></object>
? ?<img src="javascript:alert('img-src');">
? ?<script src="javascript:alert('script-src');"></script>
? ?<applet code="javascript:alert('applet-code');"></applet>
? ?<applet code="http://none"
archive="javascript:alert('applet-archive');"></applet>
? ?<applet code="http://none"
codebase="javascript:alert('applet-codebase');"></applet>
? ?<link rel="stylesheet" type="text/css"
href="javascript:alert('link-href');" />

IE 8: Blocks all tests
Chrome 5.0.375: object.data, embed.src, Blocks all others.
Firefox 3.6.3: Allows object.data, applet.code, and embed.src. Blocks
all others.
Firefox 3.7.863: Allows object.data and embed.src. Blocks all others.
Opera 10.54: script.src and object.data. Blocks all others.

Has there been discussion on this in the past? If not we should work
towards defining which of these we want to allow and which we should
block.

Thank you,
-cris

Received on Wednesday, 11 August 2010 16:58:51 UTC