I'm using JSHint, and it got the following error:
Script URL.
Which I noticed that happened because on this particular line there is a string containing a javascript:...
URL.
I know that JSHint complained that because the scripturl
option is set, and since my codebase is quite large, I'll have to unset it for now.
Still, I don't understood what is the issue of using script URLs?
javascript:
URLs are part of 'eval is evil'.
In order to execute the javascript:
URL, the browser must fire up a JS parser and parse the text of the URL.
This is a slow and costly process.
Also, assembling javascript:
URLs (or other strings that contain source code) is a tricky task which is prone to XSS vulnerabilities.
Finally, mixing code and URLs violates the separation of content and behavior (code).