问题
I'm using JSHint, and it got the following error:
Script URL.
Which I noticed that happened because on this particular line there is a string containing a javascript:... URL.
I know that JSHint complained that because the scripturl option is set, and since my codebase is quite large, I'll have to unset it for now.
Still, I don't understood what is the issue of using script URLs?
回答1:
javascript: URLs are part of 'eval is evil'.
In order to execute the javascript: URL, the browser must fire up a JS parser and parse the text of the URL.
This is a slow and costly process.
Also, assembling javascript: URLs (or other strings that contain source code) is a tricky task which is prone to XSS vulnerabilities.
Finally, mixing code and URLs violates the separation of content and behavior (code).
来源:https://stackoverflow.com/questions/13497971/what-is-the-matter-with-script-targeted-urls