treat javascript: URIs the same as data:
Brought to you by:
dafi
Menu
▾
▴
#65 treat javascript: URIs the same as data:
granted they are not that common, but still this is worth considering.
data: URI's are displayed in the document view without any errors and "view" on them opens the data: payload in the editor
javascript: URI's are shown highlighted, with an error (Invalid url) and "view" doesn't open the script.
There is no reason to treat them as an error, despite the fact that nsIURL doesn't like them, and "view" should work, i.e. open the script.
suppose the code shown below
<iframe src="javascript:'alert(1)'"></iframe>
This generates error but also your original
<iframe src="javascript:'javascript:'"></iframe>
generates error triyng to open (ok this is due to the fact it is sintattically wrong)
I'm ready to change the new behaviuor if necessary
first of all, "javascript:'alert(1)'" is not a call to alert, it's a string literal expression 'alert(1)'
"javascript:'javascript:'" is a string literal expression 'javascript;' it is not syntactically wrong
The way javascript: urls work, is everything after the : is executed and the output of the final expression statement becomes the content returned.
I have no idea why nsIURL doesn't like javascript: URIs, but they are not invalid. I am proposing that you simply display them without the invalid url error and allow the script contents to be opened
Please apologize me for my ignorance, if I underestand when I found
<iframe src="javascript:'javascript:'"></iframe>
The text on editor must contain only the
javascript:
When I found
<iframe src="javascript:'alert(1)'"></iframe>
The text on editor must contain only the
alert(1)
Is this correct?
To make sure I got the question right, you are asking what should be in the text editor when you open/view a javascript: URL?
I would think, the entire script, everything following javascript:
In your examples you were stripping the single quotes, they are part of the script.
The url is going to be %encoded, so it needs to decoded.