Kevin Hecht wrote: > While Hotmail obviously has a filtering hole, should the browser > manufacturers be on the hook here as well, given that javascript: URLs > probably shouldn't be rendered at all by the <IMG> tag? JavaScript can be used to calculate the URL to open in a IMG tag. <IMG SRC="&{find_image_to_open()};"> n What is more suprising is why it is so hard to make a JavaScript scrubber filter. The ways javascript may be inserted in HTML is generic, and not tied to any specific tag or attributes. (see Netscape JavaScript client guide, chapter 9) <script> </script> <tag attribute="&{javascript_code};"> <tag url_attribute="javascript:javascript_code"> Due to the open nature of HTML it is impossible to know all attributes which may contain URLs. And I thinks it is safe to assume that all attribute values may be contain URLs... I can't come up with a practical HTML application where the attribute value "javascript:<something>" makes much sense other than when refering to javascript code to be executed. -- Henrik Nordstrom
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:10 PDT