[whatwg] Javascript: URLs as element attributes
Biju
bijumaillist at gmail.com
Sun Dec 12 18:27:30 PST 2010
On Wed, Aug 11, 2010 at 7:58 PM, Cris Neckar <cdn at chromium.org> wrote:
> Browsers currently deal with these in a fairly ad-hoc way. I used the
> following to test a few examples in various browsers.
>
> <embed src="javascript:alert('embed-src');"></embed>
> <embed src="http://none"
> pluginurl="javascript:alert('embed-pluginurl');"></embed>
> <object classid="javascript:alert('object-classid');"></object>
> <object archive="javascript:alert('object-archive');"></object>
> <object data="javascript:alert('object-data');"></object>
> <img src="javascript:alert('img-src');">
> <script src="javascript:alert('script-src');"></script>
> <applet code="javascript:alert('applet-code');"></applet>
> <applet code="http://none"
> archive="javascript:alert('applet-archive');"></applet>
> <applet code="http://none"
> codebase="javascript:alert('applet-codebase');"></applet>
> <link rel="stylesheet" type="text/css"
> href="javascript:alert('link-href');" />
Just curious, why do we want to allow alert/confirm/prompt in URLs for
embed, object, applet etc?
I see some times problem in Firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=616838
And I dont see any use case for that.
Cheers
Biju
More information about the whatwg
mailing list