0

I was wondering what elements can contain javascript code in their attributes? I know that it's allowed in link "href" (javascript://) and all on* attributes.

Do browsers execute javascript code from any other attributes?

Improve this question
5
  • You're asking for "security". What exactly do you have in mind? Commented Jun 27, 2013 at 0:34
  • Have a look at w3.org/TR/html4/index/attributes.html and search for %Script;. The only attributes are the on* attributes. Commented Jun 27, 2013 at 0:34
  • There next to href is "%URI". so that means that any attributes that are "%URI" may contain javascript? like background attribute from body or cite from blockquotes? Commented Jun 27, 2013 at 0:42
  • @thelolcat: Next to href on anchors/areas I've found forms to execute javascript-pseudoprotocol-URIs in their action attribute for example. It doesn't work for all %URI attributes though, e.g. a img src Commented Jun 27, 2013 at 0:44
  • @thelolcat it would help people help you if you would describe what you're really trying to do. JavaScript in tag attributes is generally a bad, old-fashioned practice. Commented Jun 27, 2013 at 0:44

1 Answer 1

Reset to default
2

It's allowed in href because that's what gets put into your browser address bar. Similarly you can use something like:

document.location.href = 'javascript:alert("hello");';

There isn't really a good reason to put JavaScript in href though. It's very limited in it's usefulness. I would suggest the proper route of onclick handlers or some setup that reacts to changes in the # (hash).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.