以脚本定位的URL有什么问题? [英] What is the matter with script-targeted URLs?

问题描述

我正在使用JSHint，但出现以下错误:

I'm using JSHint, and it got the following error:

Script URL.

我注意到发生这种情况是因为在此特定行上有一个包含javascript:... URL的字符串.

Which I noticed that happened because on this particular line there is a string containing a javascript:... URL.

我知道JSHint抱怨说，因为设置了scripturl选项，并且由于我的代码库很大，所以我现在必须将其取消设置.

I know that JSHint complained that because the scripturl option is set, and since my codebase is quite large, I'll have to unset it for now.

仍然，我不了解使用脚本URL的问题是什么?

Still, I don't understood what is the issue of using script URLs?

推荐答案

javascript: URL是评估就是邪恶"的一部分.

javascript: URLs are part of 'eval is evil'.

为了执行javascript: URL，浏览器必须启动JS解析器并解析URL的文本.
这是一个缓慢而昂贵的过程.

In order to execute the javascript: URL, the browser must fire up a JS parser and parse the text of the URL.
This is a slow and costly process.

此外，组装javascript: URL(或其他包含源代码的字符串)是一项棘手的任务，容易产生XSS漏洞.

Also, assembling javascript: URLs (or other strings that contain source code) is a tricky task which is prone to XSS vulnerabilities.

最后，混合使用代码和URL违反了内容和行为(代码)的分隔.

Finally, mixing code and URLs violates the separation of content and behavior (code).

这篇关于以脚本定位的URL有什么问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！