W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2012

Re: [whatwg] URL: javascript URLs

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 28 Sep 2012 11:45:33 -0400
Message-ID: <5065C61D.6070203@mit.edu>
To: whatwg@lists.whatwg.org
On 9/28/12 11:34 AM, Boris Zbarsky wrote:
> I'm not sure why it never hits the alert.  A similar testcase not inside
> the live dom viewer works just fine.

Oh, I see why it's different.

In the case I was testing (just loading a file from file://), the 
javascript: URI is created from the string 'javascript:alert("%E2%84")' 
with charset set to ISO-8859-1.  When the URI parser is done with that, 
it has converted it to an internal representation that looks like 
'javascript:alert("%C3%A2%E2%80%9E")' and then when you unescape and 
convert from UTF-8 you get those original two ISO-8859-1 chars.

But on the live dom viewer, the URI is being created from the same 
string, but with charset set to UTF-8.  When the URI parser is done with 
that, it has converted to an internal representation that looks like 
'javascript:alert("%e2%84")' and then when you unescape you get a byte 
array with the bytes 0xe2 0x84, and converting from UTF-8 you get a 
0-length string because the "convert from utf-8" function involved 
doesn't handle malformed utf-8 very well.  So nothing happens.

-Boris
Received on Friday, 28 September 2012 15:46:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:46 UTC