27 May
2008
27 May
'08
4:19 a.m.
Hi Peter,
<p><img src="javascript:alert('XSS');" alt=""/></p>
That's a bad example, since its a bit dodgy, and possibly a security flaw. I prefer the example: <a href="javascript:alert('XSS');">foo</a> This works in all browsers. For a URI, if you have javascript: as the prefix, the rest can be any javascript expression - including brackets etc. If you have javascript as the protocol, its not really a URI pointing at a document anymore. Thanks Neil