What is the matter with script-targeted URLs?

javascript validation jshint
Metalcoder picture Metalcoder · Nov 21, 2012 · Viewed 9.8k times · Source

I'm using JSHint, and it got the following error:

Script URL.

Which I noticed that happened because on this particular line there is a string containing a javascript:... URL.

I know that JSHint complained that because the scripturl option is set, and since my codebase is quite large, I'll have to unset it for now.

Still, I don't understood what is the issue of using script URLs?

Answer

SLaks picture SLaks · Nov 21, 2012

javascript: URLs are part of 'eval is evil'.

In order to execute the javascript: URL, the browser must fire up a JS parser and parse the text of the URL.
This is a slow and costly process.

Also, assembling javascript: URLs (or other strings that contain source code) is a tricky task which is prone to XSS vulnerabilities.

Finally, mixing code and URLs violates the separation of content and behavior (code).

Related questions

How to validate an email address in JavaScript

Is there a regular expression to validate an email address in JavaScript?

Read More
Validate decimal numbers in JavaScript - IsNumeric()

What's the cleanest, most effective way to validate decimal numbers in JavaScript? Bonus points for: Clarity. Solution should be clean and simple. Cross-platform. Test cases: 01. IsNumeric('-1') => true 02. IsNumeric('-1.5') => true 03. IsNumeric('0') => true 04. …

Read More
(Built-in) way in JavaScript to check if a string is a valid number

I'm hoping there's something in the same conceptual space as the old VB6 IsNumeric() function?

Read More