Several years back I was on a job where the boss wanted to allow virtually any user-provided HTML/CSS/JS in a content area, while preventing redirects.
No implementation ever happened of course, but my first thought was, what would happen if we did a "<script>delete(window.location);</script>" near the top of the template?
Answer: nothing. But what would the implications be if browsers allowed it?
Interesting. I did a few tests and it seems Chrome will let me override window.location with __defineSetter__() but not document.location, while Safari was the other way around. Firefox 3.x won't let me redefine either one ("TypeError: redeclaration of var location").
No implementation ever happened of course, but my first thought was, what would happen if we did a "<script>delete(window.location);</script>" near the top of the template?
Answer: nothing. But what would the implications be if browsers allowed it?