Published 1 year ago • Last updated April 24, 2025 • ⏱️ 2 min read
A long time ago I can't remember exactly when, I discovered you could use a parameter called evt in SVG events. I tweeted about it but I thought I'd write it up since Twitter is no longer what it used to be. Anyway, I discovered this because I was playing with HTML and I decided to alert the contents of the event. It worked like this:
<img src onerror=alert(onerror)>
Which led to the following output:
function onerror(event) { alert(onerror) }
Notice a parameter called event is defined, I suspect this is a workaround to accommodate IE quirks because it has a global window.event, so browsers defined this so it enabled them to make the event local. Moving on, I wondered to myself what the other events look like, so I began messing with the various HTML tags and they all seemed pretty consistent but then I stumbled across SVG events and something looked different. The onload event of a SVG tag had a different parameter:
<svg onload=alert(onload)>
The output:
function onload(evt) { alert(onload) }
Why on earth is this not called event? You all know I like any sort differences as they often lead to bugs. If you have a sandbox you've got to look out for this parameter as it can leak DOM object. For example on Chrome:
<svg onload=evt.composedPath().pop().defaultView.alert(1)>
On Firefox we use the gorgeous explicitOriginalTarget property to get the document object:
<svg onload=evt.explicitOriginalTarget.ownerDocument.defaultView.alert(1)>
There really isn't a conclusion to this and I'm just happy to blog things I find interesting anyway hope you enjoyed it!