Question: Chrome vs Firefox Javascript behavior

Question

Chrome vs Firefox Javascript behavior

Answers 2
Added at 2017-01-04 13:01
Tags
Question

Here's the "data:" URI, load this in browser.

data:text/html,<script>alert("#")</script>

I get alert() executed in Chrome, but not in Firefox. Firefox removes "#" character and all the following characters. How can I make FF to alert("#")?

Update: I understand the "#" fragment part, but the question is more like "Why did Chrome ignore the "fragment" case and consider it as a normal character, when FF didn't?".

Answers
nr: #1 dodano: 2017-01-04 14:01

A # has special meaning in a URL (it indicates the start of the fragment part). You have to encode it as %23 to include it as data.

nr: #2 dodano: 2017-01-04 14:01

The data portion of a data URI must be encoded, # as a literal character is not allowed. From the Wikipedia page

The data, separated from the preceding part by a comma (,). The data is a sequence of octets represented as characters. Permitted characters within a data URI are the ASCII characters for the lowercase and uppercase letters of the modern English alphabet, and the Arabic numerals. Octets represented by any other character must be percent-encoded, as in %26 for an ampersand (&).

...which cites RFC3986.

So your data URI should be:

data:text/html,%3Cscript%3Ealert(%22%23%22)%3C%2Fscript%3E

...which works in both Chrome and Firefox:

<a href="data:text/html,%3Cscript%3Ealert(%22%23%22)%3C%2Fscript%3E">Click here</a>

You can get the URI data using JavaScript's encodeURIComponent, e.g.:

var dataUri = "data:text/html," + encodeURIComponent('<script>alert("#")</script>');
Source Show
◀ Wstecz