You can’t send a message over AIM that has a JavaScript event handler name, followed by =
in it. The message seems to be blocked on the server, not in the client, as this behavior was observed in different AIM clients (iChat, Adium, and meebo.)
Examples
The following messages can’t be sent over AIM:
onclick=
onclick =
Yo dawg, I heard you liked onclick= in your JavaScript…
Interestingly, using a newline, instead of space, between the handler name and =
allows the message to be sent, even though it is still valid HTML/JavaScript. For example, you can send,
onclick =x(); /*this is fine*/
I suspect there is an interesting security story behind all of this. If you know how and why this filtering came to pass, I please leave a comment.
Thanks to Dustin Silverman for helping me investigate this. In case you were wondering how I stumbled onto this behavior — I was sending snippets of HTML from twitterglyphs.com/ over AIM.
I know for a fact that the OS 8/9 versions of IM let you type
<hr>
to draw a rule in the other person’s window. Perhaps HTML is more deeply nested in their encoding than I thought?Comment by Jason Petersen — September 18, 2009 @ 9:00 pm
Interesting. i was on ICQ back in those days, so I have absolutely no idea. From the little bit of experimenting I did; HTML code just comes across as plain text today.
Comment by Vincent Gable — September 18, 2009 @ 9:58 pm