- From: Tantek Çelik <tantek@cs.stanford.edu>
- Date: Thu, 30 Oct 2003 03:49:18 -0800
- To: Rijk van Geijtenbeek <rijk@iname.com>, <www-style@w3.org>
On 10/30/03 3:23 AM, "Rijk van Geijtenbeek" <rijk@iname.com> wrote:
>
> Hello Tantek,
>
> On Thursday, October 30, 2003 you wrote:
>
>
>>> body { background: url("javascript:alert(\'Hello\ again!\
>>> (background)\')");
>>> }
>>>
>>> ...is possible right now, and shows a dialog in at least two browsers.
>
>> If you take something which is safe, mix it with something that is unsafe,
>> you end up with a result that is unsafe.
>
> And if you disable JavaScript in Opera (with the F12 quick prefs), you
> will not get the popup. No need to disable styling or go into user
> mode.
Precisely Rijk.
The same thing happens in IE/Mac and IE/Windows. If you disable scripting
(in IE5/Mac uncheck "Enable scripting", in IE6/Windows Internet Options,
Security, Custom..., Security Settings, choose the "Disable" radio button
under "Active scripting") you will not get the popup(s). No need to disable
styling.
> This can be used to support both sides of the argument though ;)
I don't see how, seeing how CSS without javascript in this case works fine,
and adding javascript causes problems, therefore javascript is the problem.
Tantek
Received on Thursday, 30 October 2003 06:52:49 UTC