I discovered this in the course of some work at a customer’s site – you can put Javascript into IE’s links bar!

The links bar is intended to give you buttons to take you to your commonly used websites (although it is nowhere near as good or useful as Firefox’s links bar, which is more like a menu). You press a button, it goes to that page.

However, in HTML in an anchor tag you can specify to Javascript to run, rather than just a page address. Out of interest, I tried doing this with IE’s links buttons, and it worked.

I was looking for a way to get a substring of the URL that the browser was currently at. The URL was of the form:
http://server/instance/app.dll?action=x&id=1234&next=y
and I was trying to get the value of the ‘id’ parameter (1234 in this case).

What I came up with was a URL that I put into a link. The URL was (one one line):
javascript:x=/id=([0-9]+)/i;x.exec(window.location);
window.clipboardData.setData("Text",RegExp.$1);alert(RegExp.$1);
To break it down:
javascript:
specifies that it is javascript code, not just a page address.
x=/id=([0-9]+)/i;
sets up a regular expression to get the ID
x.exec(window.location);
applies the expression to the current location of the browser window.
window.clipboardData.setData("Text",RegExp.$1);
copies this ID to the clipboard.
alert(RegExp.$1);
confirms that this has been done.

And it works! Hard to believe, but it really works! I’m sure that there must be some sort of security issue here – I need to think about how this might be abused, but there should be a way. Will let you know when I think of something…