21

I'm using JSHint, and it got the following error:

Script URL.

Which I noticed that happened because on this particular line there is a string containing a javascript:... URL.

I know that JSHint complained that because the scripturl option is set, and since my codebase is quite large, I'll have to unset it for now.

Still, I don't understood what is the issue of using script URLs?

Paul D. Waite
  • 96,640
  • 56
  • 199
  • 270
Metalcoder
  • 2,094
  • 3
  • 24
  • 30

1 Answers1

29

javascript: URLs are part of 'eval is evil'.

In order to execute the javascript: URL, the browser must fire up a JS parser and parse the text of the URL.
This is a slow and costly process.

Also, assembling javascript: URLs (or other strings that contain source code) is a tricky task which is prone to XSS vulnerabilities.

Finally, mixing code and URLs violates the separation of content and behavior (code).

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • Doesn't it have to do the same parse if you put the script in ` – Barmar Nov 21 '12 at 16:49
  • 3
    @Barmar: It needs to parse your ` – SLaks Nov 21 '12 at 16:49
  • Separation of code and content: isn't it more obvious to insert a script URL than to attach an event to an element, prevent default, and override the apparent content in some hidden place in the code? How else might I submit a form using AJAX? – bmacnaughton Feb 10 '17 at 12:01
  • "the browser must fire up a JS parser and parse the text of the URL" How can i confirm this statement? – tsh Dec 22 '17 at 08:09
  • @tsh: How do you expect the browser to run code without parsing it? – SLaks Dec 22 '17 at 15:07
  • 5
    Browser may want to specially optimize link like `javascript:;` and `javascript:void(0);` since they are quite common. – tsh Dec 24 '17 at 11:53
  • Developers may want to write correct HTML since that's what we expect from them. – MatTheCat Nov 26 '18 at 11:20