What is the matter with script-targeted URLs?

Metalcoder picture Metalcoder · Nov 21, 2012 · Viewed 9.8k times · Source

I'm using JSHint, and it got the following error:

Script URL.

Which I noticed that happened because on this particular line there is a string containing a javascript:... URL.

I know that JSHint complained that because the scripturl option is set, and since my codebase is quite large, I'll have to unset it for now.

Still, I don't understood what is the issue of using script URLs?

Answer

SLaks picture SLaks · Nov 21, 2012

javascript: URLs are part of 'eval is evil'.

In order to execute the javascript: URL, the browser must fire up a JS parser and parse the text of the URL.
This is a slow and costly process.

Also, assembling javascript: URLs (or other strings that contain source code) is a tricky task which is prone to XSS vulnerabilities.

Finally, mixing code and URLs violates the separation of content and behavior (code).