[whatwg] Javascript: URLs as element attributes from Biju on 2010-12-13 (public-whatwg-archive@w3.org from December 2010)

From: Biju <bijumaillist@gmail.com>
Date: Sun, 12 Dec 2010 22:27:30 -0400
Message-ID: <AANLkTikrDQyVjgU3UeMbiLs6-nPWMoX963LQ6MK3d3o6@mail.gmail.com>

On Wed, Aug 11, 2010 at 7:58 PM, Cris Neckar <cdn at chromium.org> wrote:
> Browsers currently deal with these in a fairly ad-hoc way. I used the
> following to test a few examples in various browsers.
>
> ? ?<embed src="javascript:alert('embed-src');"></embed>
> ? ?<embed src="http://none"
> pluginurl="javascript:alert('embed-pluginurl');"></embed>
> ? ?<object classid="javascript:alert('object-classid');"></object>
> ? ?<object archive="javascript:alert('object-archive');"></object>
> ? ?<object data="javascript:alert('object-data');"></object>
> ? ?<img src="javascript:alert('img-src');">
> ? ?<script src="javascript:alert('script-src');"></script>
> ? ?<applet code="javascript:alert('applet-code');"></applet>
> ? ?<applet code="http://none"
> archive="javascript:alert('applet-archive');"></applet>
> ? ?<applet code="http://none"
> codebase="javascript:alert('applet-codebase');"></applet>
> ? ?<link rel="stylesheet" type="text/css"
> href="javascript:alert('link-href');" />

Just curious, why do we want to allow alert/confirm/prompt in URLs for
embed, object, applet etc?

I see some times problem in Firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=616838

And I dont see any use case for that.

Cheers
Biju

Received on Sunday, 12 December 2010 18:27:30 UTC