[whatwg] URL: javascript URLs

Boris Zbarsky bzbarsky at MIT.EDU
Fri Sep 28 08:45:33 PDT 2012


On 9/28/12 11:34 AM, Boris Zbarsky wrote:
> I'm not sure why it never hits the alert.  A similar testcase not inside
> the live dom viewer works just fine.

Oh, I see why it's different.

In the case I was testing (just loading a file from file://), the 
javascript: URI is created from the string 'javascript:alert("%E2%84")' 
with charset set to ISO-8859-1.  When the URI parser is done with that, 
it has converted it to an internal representation that looks like 
'javascript:alert("%C3%A2%E2%80%9E")' and then when you unescape and 
convert from UTF-8 you get those original two ISO-8859-1 chars.

But on the live dom viewer, the URI is being created from the same 
string, but with charset set to UTF-8.  When the URI parser is done with 
that, it has converted to an internal representation that looks like 
'javascript:alert("%e2%84")' and then when you unescape you get a byte 
array with the bytes 0xe2 0x84, and converting from UTF-8 you get a 
0-length string because the "convert from utf-8" function involved 
doesn't handle malformed utf-8 very well.  So nothing happens.

-Boris




More information about the whatwg mailing list