In article <37DCF0FE.908E4B4Fat_private> you write: > Note: This is not a browser problem, it is Hotmail's problem. It is a browser problem, at least for the Netscape version. > <P STYLE="left:expression(eval('alert(\'JavaScript is > executed\');window.close()'))" > One could argue that styles can be computed via Javascript... > <STYLE TYPE="text/javascript"> ...but that is ridiculous. The browser should simply ignore a stylesheet of an unknown type, there is a reason for the type parameter after all. (Unless it is a deliberate feature that you can substitute STYLE for SCRIPT, which I somehow doubt.) This is not only a problem for Hotmail but for all sorts of proxies which filter Javascript for security reasons. Since there is at least one recent version of both NC and IE which _doesn't_ let you disable Javascript at all due to bugs, such filtering is an absolute necessity, but you need to know where in the data stream it can appear. Btw. the example given for IE is a classic example of what is so wrong with Javascript: you can do anything with it - including e.g. trivial stealing of passwords by popping up fake login dialogs - _even if it doesn't make sense in the context_. This alone is a reason to completely block and disable it. Olaf
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:39 PDT