Curious Javascript in .NET
26th April 2004
I’ve never had the opportunity nor the inclination to do anything with .NET; at work we use open source tools for all of our web development, and I prefer open source tools for my own personal experiments as well. At any rate, the javascript:__doPostBack links I’ve seen on .NET powered sites such as Channel 9 and Orkut plain give me the willies.
Anyway, I decided to view source and see what __doPostBack actually does. Here’s the function:
function __doPostBack(eventTarget, eventArgument) {
var theform;
if (window.navigator.appName.toLowerCase().indexOf("microsoft") > -1) {
theform = document._ctl0;
}
else {
theform = document.forms["_ctl0"];
}
theform.__EVENTTARGET.value = eventTarget.split("$").join(":");
theform.__EVENTARGUMENT.value = eventArgument;
theform.submit();
}
Note the use of a dubious user-agent based browser detection method. Now what I just don’t understand is why that browser detection is there in the first place. There are numerous ways of accessing a form by name using Javascript. document.forms['form-name'] is part of DOM level 0, and is supported by virtually every browser since Netscape 2. document.form-name is a Microsoft invention. The thing is, document.forms['form-name'] is supported by MS browsers as well. So why do a browser detect and use the MS only method when just using the other method with no detect would work equally as well?
More recent articles
- Meta's new model is Muse Spark, and meta.ai chat has some interesting tools - 8th April 2026
- Anthropic's Project Glasswing - restricting Claude Mythos to security researchers - sounds necessary to me - 7th April 2026
- The Axios supply chain attack used individually targeted social engineering - 3rd April 2026