[whatwg] Javascript: URLs as element attributes

Biju bijumaillist at gmail.com
Sun Dec 12 18:27:30 PST 2010


On Wed, Aug 11, 2010 at 7:58 PM, Cris Neckar <cdn at chromium.org> wrote:
> Browsers currently deal with these in a fairly ad-hoc way. I used the
> following to test a few examples in various browsers.
>
>    <embed src="javascript:alert('embed-src');"></embed>
>    <embed src="http://none"
> pluginurl="javascript:alert('embed-pluginurl');"></embed>
>    <object classid="javascript:alert('object-classid');"></object>
>    <object archive="javascript:alert('object-archive');"></object>
>    <object data="javascript:alert('object-data');"></object>
>    <img src="javascript:alert('img-src');">
>    <script src="javascript:alert('script-src');"></script>
>    <applet code="javascript:alert('applet-code');"></applet>
>    <applet code="http://none"
> archive="javascript:alert('applet-archive');"></applet>
>    <applet code="http://none"
> codebase="javascript:alert('applet-codebase');"></applet>
>    <link rel="stylesheet" type="text/css"
> href="javascript:alert('link-href');" />

Just curious, why do we want to allow alert/confirm/prompt in URLs for
embed, object, applet etc?

I see some times problem in Firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=616838

And I dont see any use case for that.

Cheers
Biju



More information about the whatwg mailing list