The issue was quite serious because it was possible to remotely log out a user (via GET) and because the javascript executed when email/password were still in the login form.<p>I also wonder how well known it is that 'window.location.href' accepts 'javascript:...' URIs which are then executed.<p>Why do browsers even allow this? Are there any legitimate use cases?