Executing large blocks of code
Even though the function is defined in the sandbox, it is not a closure of the sandbox scope. It is converted to a string and then back to a function in page scope. It cannot access anything in the sandbox scope, which is a limitation, but is also essential to making this technique secure.
Percent encoding issue
Sometimes percent-encoding the percent symbol is required. For example,
The above code will cause error because %22 is interpreted as double quotation mark. The workaround is:
See also encodeURI().
The location hack is really handy for passing values to the content scope, or to call functions defined there.
It is not, however, capable of directly reading a variable or value returned from a function.
Furthermore, it is run asynchronously, much like
setTimeout(), so you cannot immediately rely on side effects.
(If you use the location hack to, for example, store a value in the DOM and then attempt to read it, it will only be available at some other later point in time.)