Curious Javascript in .NET
26th April 2004
I’ve never had the opportunity nor the inclination to do anything with .NET; at work we use open source tools for all of our web development, and I prefer open source tools for my own personal experiments as well. At any rate, the javascript:__doPostBack links I’ve seen on .NET powered sites such as Channel 9 and Orkut plain give me the willies.
Anyway, I decided to view source and see what __doPostBack actually does. Here’s the function:
function __doPostBack(eventTarget, eventArgument) {
var theform;
if (window.navigator.appName.toLowerCase().indexOf("microsoft") > -1) {
theform = document._ctl0;
}
else {
theform = document.forms["_ctl0"];
}
theform.__EVENTTARGET.value = eventTarget.split("$").join(":");
theform.__EVENTARGUMENT.value = eventArgument;
theform.submit();
}
Note the use of a dubious user-agent based browser detection method. Now what I just don’t understand is why that browser detection is there in the first place. There are numerous ways of accessing a form by name using Javascript. document.forms['form-name'] is part of DOM level 0, and is supported by virtually every browser since Netscape 2. document.form-name is a Microsoft invention. The thing is, document.forms['form-name'] is supported by MS browsers as well. So why do a browser detect and use the MS only method when just using the other method with no detect would work equally as well?
More recent articles
- New prompt injection papers: Agents Rule of Two and The Attacker Moves Second - 2nd November 2025
- Hacking the WiFi-enabled color screen GitHub Universe conference badge - 28th October 2025
- Video: Building a tool to copy-paste share terminal sessions using Claude Code for web - 23rd October 2025