What's so special about "go"?

General discussion about the NoScript extension for Firefox
Post Reply
barbaz
Senior Member
Posts: 9178
Joined: Sat Aug 03, 2013 5:45 pm

What's so special about "go"?

Post by barbaz » Wed Jun 15, 2016 4:41 pm

When NoScript Options > Advanced > Untrusted > "Attempt to fix JavaScript links" is checked, and browsing a page with this code, simply selecting a different choice in the drop-down navigates to other page as specified. Wasn't sure if I'd just found a security flaw or usability feature in NoScript, so put a slight variant on it up on my server for testing...

Code: Select all

<form name="cc">
<p><select name="selector" size="1" onchange="go()">
<option value="http://<MY_SERVER>/path1/">f1</option>
<option value="http://<MY_SERVER>/path2/somefile">f2</option>
<option value="http://<MY_SERVER/">HOME</option>
</select>
<input name="test" value="AAAAAAAA" onclick="go()" type="button">
</p>

<script type="text/javascript">
function go() {
alert('Foo!');
window.location.href=document.cc.selector.options[document.cc.selector.selectedIndex].value
}
</script>
</form>

... and discovered that renaming the "go" function is all that's required to prevents this behavior. (And it looks that the page's "go" isn't what's executing, but I was pretty concerned for a moment there!)

This is not intuitive - given the presence of that button, I would expect to need to click it for the navigation to occur. However, with script disabled clicking it does nothing.

What's so special about the name "go", and why the button isn't the JS link that's fixed in this case?
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply