You can’t send a message over AIM that has a JavaScript event handler name, followed by =
in it. The message seems to be blocked on the server, not in the client, as this behavior was observed in different AIM clients (iChat, Adium, and meebo.)
Examples
The following messages can’t be sent over AIM:
onclick=
onclick =
Yo dawg, I heard you liked onclick= in your JavaScript…
Interestingly, using a newline, instead of space, between the handler name and =
allows the message to be sent, even though it is still valid HTML/JavaScript. For example, you can send,
onclick =x(); /*this is fine*/
I suspect there is an interesting security story behind all of this. If you know how and why this filtering came to pass, I please leave a comment.
Thanks to Dustin Silverman for helping me investigate this. In case you were wondering how I stumbled onto this behavior — I was sending snippets of HTML from twitterglyphs.com/ over AIM.