Kevin Hecht wrote:
> While Hotmail obviously has a filtering hole, should the browser
> manufacturers be on the hook here as well, given that javascript: URLs
> probably shouldn't be rendered at all by the <IMG> tag?
JavaScript can be used to calculate the URL to open in a IMG tag.
<IMG SRC="&{find_image_to_open()};">
n
What is more suprising is why it is so hard to make a JavaScript
scrubber filter. The ways javascript may be inserted in HTML is generic,
and not tied to any specific tag or attributes. (see Netscape JavaScript
client guide, chapter 9)
<script>
</script>
<tag attribute="&{javascript_code};">
<tag url_attribute="javascript:javascript_code">
Due to the open nature of HTML it is impossible to know all attributes
which may contain URLs. And I thinks it is safe to assume that all
attribute values may be contain URLs... I can't come up with a practical
HTML application where the attribute value "javascript:<something>"
makes much sense other than when refering to javascript code to be
executed.
--
Henrik Nordstrom
