United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-5081700 : Java Plug-In no longer supports 'javascript:' URLs after MS Hotfix 867801

Details
Type:
Bug
Submit Date:
2004-08-02
Status:
Resolved
Updated Date:
2005-02-10
Project Name:
JDK
Resolved Date:
2004-10-12
Component:
deploy
OS:
windows_xp
Sub-Component:
plugin
CPU:
x86
Priority:
P2
Resolution:
Fixed
Affected Versions:
1.4.2,1.4.2_05
Fixed Versions:
5.0u1 (b04)

Related Reports
Backport:
Backport:
Relates:

Sub Tasks

Description
synopsis:    Java Plug-In no longer supports 'javascript:' URLs after MS Hotfix 86780
description: FULL PRODUCT VERSION :
Applies to 1.4.2 and all recent (if not all period) JPIs.

ADDITIONAL OS VERSION INFORMATION :
Applies to any Microsoft OS to which the given hotfix has been applied

EXTRA RELEVANT SYSTEM CONFIGURATION :
See http://support.microsoft.com/?kbid=875345 for more information on Microsoft hotfix 86780.

A DESCRIPTION OF THE PROBLEM :
Microsoft's latest hot fix have broken any of out applets that use the 'javascript:' URL methodology to interact with the HTML document.

We switched to this because of all the problems with the JSObject calls (most particularly in Internet Explorer). It now appears that we are dead in the water with this hotfix.

The Hot fix mentions different calls can be made by the native code to as replacement functionality.  It appears that this means the JRE must change its native code calls for Windows.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Call a JavaScript function (in the enclosing page) from an applet via:

  appletContext.showDocument( 'javascript:...' )

Note this approach does not allow a return value, but that is not an issue in many cases.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The given JavaScript function should be called successfully.
ACTUAL -
Call is prevented by MS hotfix.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
One might argue that the workaround is to use JSObject, but:

1) JSObject is far less stable than 'javascript:' URL usage and thus is best avoided except when one needs the return value of the JavaScript function.

2) This defeats the generality of treating JavaScript calls as yet another URL type.

                                    

Comments
EVALUATION

Requires careful understanding of security bulletin and the mentioned workaround to provide the fix in Java Plug-in
###@###.### 2004-08-03

The API AppletContext.showDocument() internally uses DOM API window.open() to perform the operation. With the new hotfix, window.open() doesn't allow JavaScript URL usage. Hence applets using JavaScript URL in showDocument() will fail after the hotfix is applied. 
###@###.### 2004-08-05

The MS IE implementation for showDocument has been changed as follows:
> window.open( url, _top );
--
< if (url is javascript){
<   window.execScript( "window.open(url)" );
< }else{
<   window.open( url, _top );
< }

###@###.### 2004-09-10
----------------------------------------
                                     
2004-09-10
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
1.4.2_07


                                     
2004-09-11



Hardware and Software, Engineered to Work Together