0

In an old piece of legacy code I found the following onclick event:

onclick="javascript:bSubmitted=true;"

Does anyone know what the javascript: label in front of this code does? I have never seen this notation before, and as far as I know whatever is in the onclick event is always javascript. Removing it, or changing it to something else doesn't seem to have an effect and IntelliJ seems to think it's an 'unnecessary label'.

Just out of curiousity I still would like to know what it does and what it can be used for. Does anyone know?

Rick
  • 935
  • 2
  • 7
  • 22
  • 2
    You can find your answer, in my opinion, in the HTML standards: https://html.spec.whatwg.org/ . Basically, the `javascript:` can be used as an url scheme which (just for adding something to the boilerplate) was and still is used for many XSS injections. In that case specifically (upon a click event) it sounds unnecessary indeed, while it could be useful on an `href`, for example (https://jsfiddle.net/73rmzjgw/) – briosheje Aug 02 '19 at 09:00
  • That actually makes sense. Having worked with this codebase for a while now, it makes perfect sense that somewhere in the past someone moved that part from the href to the onclick. Unfortunatly the git history doens't go back that far :). Could you turn this in an answer so I can mark it as correct? – Rick Aug 02 '19 at 11:04
  • I'm not sure whether it's the correct answer, I've just tried to find the informations in the most reliable source I could think of, which is the HTML spec. I didn't find anything on MDN as well, so it looks like there isn't that much to say on that topic other than the fact that in fact it "was" (and is) used as an url scheme... Anyway, I will add the answer. – briosheje Aug 02 '19 at 11:57
  • Well we have a pretty rigorous testing process, so if it turns out something does break by removing it, I'll update the question. For now this explaination seems to fit :). – Rick Aug 02 '19 at 13:30

2 Answers2

1

I think you can find your answer here (it's the only "official" source I've found that talks about this): HTML Standard.

Taken from 7.8.1 Navigating across documents

If resource is a request whose url's scheme is "javascript" Queue a task, on the DOM manipulation task source and associated with the active document of browsingContext, to run these steps:

Let response be the result of executing a javascript: URL request given resource, the source browsing context, and browsingContext. Run process a navigate response with resource, response, navigationType, the source browsing context, browsingContext, incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

Basically, the javascript: can be used as an url scheme which (just for adding something to the boilerplate) was and still is used for many XSS injections.

In that case specifically (upon a click event) it sounds unnecessary indeed, while it could be useful on an href, as you may see here (fiddle linked because the StackOverflow snippet manager doesn't allow alerts on javascript:): https://jsfiddle.net/73rmzjgw/

briosheje
  • 7,356
  • 2
  • 32
  • 54
0

When any changes perform into form then javascript checks that, any changes is there or not. if it has any then it alerts the user before they navigate away from the page. This action can be disabled on a submit button click by adding

onclick="javascript:bSubmitted=true;"

to its tag.

Shivani Sonagara
  • 1,299
  • 9
  • 21
  • I'm not sure what you are talking about. I'm asking about the 'javascript:' part, not the 'bSubmitted=true' part. The variable is part of my applications logic and I know what that part does :). – Rick Aug 02 '19 at 11:02