I thought it would be great to quickly share some interesting stuff I noticed about the way the different browsers handle the javascript location object, but first a few words about the object’s properties and what they contain:
- hash – everything after the # (anchor) in the URL
- host – the hostname and port
- hostname – the hostname
- href – the full URL
- pathname – path to the requested file
- port, protocol – i think these speaks for themselfs
- search – the query string (~GET parameters)
- target – the url link’s target name
What is so interesting about these parameters? Well it seems that the different browsers handle the values in them differently and if they are written back to the html with javascript (for example with document.write) they can easily lead to cross-site-scripting. Here is the summary about the parameters I found “interesting” (not encoded by the browser):
| IE 8 | Firefox 3.6.3 | Chrome 4.1.249.1064 | Opera 10.53 | |
|---|---|---|---|---|
| location.hash | not encoded | not encoded | not encoded | not encoded |
| location.href | not encoded | encoded | not encoded (the hash in it is not encoded) | not encoded (the hash in it is not encoded) |
| location.search | not encoded | encoded | encoded | encoded |