Matthias said:
Uh? I was under the impression that a "href" attribute is supposed
to contain an URL. Where is an URI type/syntax of "javascript:;;;"
defined? (Ignoring the fact that such an abuse is very hostile to
readers.)
According to the relevant Specifications, the value of the `href' attribute
must be of type _URI_, i.e. a URI or URI reference as defined in RFC3986
(which obsoletes RFC2396 as referred to by the HTML 4.01 Specification). By
these criteria, `javascript:;;;' does qualify as a URI: However
proprietary, `javascript' can be produced as the scheme name, and `;;;' can
be produced by the `path-rootless' production of the RFC's grammar.
,-<
http://www.rfc-editor.org/rfc/rfc3986.txt>
|
| Appendix A. Collected ABNF for URI
|
| URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
| [...]
| scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
| [...]
| hier-part = "//" authority path-abempty
| / path-absolute
| / path-rootless
| / path-empty
| [...]
| path-rootless = segment-nz *( "/" segment )
| [...]
| segment-nz = 1*pchar
| [...]
| pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
| [...]
| sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
| / "*" / "+" / "," / ";" / "="
It is notable that the `;' character actually serves as sub-delimiter in
ECMAScript implementations: it delimits adjacent Statements. In fact, we
have three adjacent EmptyStatements here. Not useful, and certainly not to
be recommended in this context, but syntactically valid nonetheless.
(You asked for it ;-))
You mean the content of the "onclick" attribute, right?
And the value of the `href' attribute.
But that's only a part, a fragment not the whole thing the OP posted.
Doesn't matter. I would consider it to be wrong to say that it is not
JavaScript when a subset is written in what could be executed as JavaScript.
Who knows? Something like "this.style. ..." looks like CSS.
You are confused. Something like this could only be CSS (i.e. be produced
by the CSS grammar) if there was an element type `this' that had a `class'
attribute with value `style'. Since we are talking HTML here, this could
never be CSS. Also, the `=' character could never be part of CSS in this
context.
It is clearly an attempt at client-side stylesheet scripting. The language
used is apparently an ECMAScript implementation here; it may be JavaScript,
or it could be considered "JavaScript" in the broadest sense. However
error-prone if used untested, the value assigned the the property here
modifies the proprietary `behavior' style property of the MSHTML DOM; in the
broadest sense, this value could be considered CSS (the CSS Specification
supports code which uses unspecified properties and values by specifying a
fallback mechanism).
Do you think he knows the difference? Considering he tried to call
a "setHomePage() method of an anchor element?
Nope, and neither did you. Hence the clarification
PointedEars