... Fair enough. It's tough to implement sophisticated and efficient parsers in javascript, but I'm sure that it's worthwhile in some contexts. Perhaps if...
143
Freeman, Tim
timothy_free...
Jan 30, 2008 10:28 pm
Seems like a good idea. As a user, I'd rather see the SQL problem solved right by having a parser that's more sophisticated than a finite state machine than to...
142
Mike Samuel
mikesamuel
Jan 30, 2008 9:50 pm
... Escapers can use the runtime type of the substitution values. If the SQL escaper sees an array, then it iterates over elements, and if it sees a Date, it...
141
Monty Zukowski
monty_zukowski
Jan 30, 2008 9:21 pm
... Very nice. I like the context scanning mechanism. I'll be curious to see what the fsm.txt looks like for SQL. It wasn't clear to me how the interpolator...
140
Douglas Crockford
douglascrock...
Jan 30, 2008 3:16 pm
I am on the program committee of the second workshop on Web 2.0 Security and Privacy (http://seclab.cs.rice.edu/w2sp/2008/cfp.html). It will be held the day...
139
Mark Miller
capsecure
Jan 30, 2008 5:07 am
... From: Mike Samuel <mikesamuel@...> Date: Jan 29, 2008 8:15 PM Subject: [Caja] secure string interpolation in javascript To: Google Caja Discuss...
138
Douglas Crockford
douglascrock...
Jan 30, 2008 1:55 am
I have added an optional adsafe parameter to the JSLINT(source, option, adsafe) function. It is an object whose keys are global variable names and values are...
137
robertsayre2000
Jan 11, 2008 1:43 am
http://www.crockford.com/html/ "<module>; creates a sub-tree which can contain a document with a communication channel. See http://json.org/module.html for a ...
136
Mark Miller
capsecure
Dec 9, 2007 6:27 pm
On Dec 9, 2007 8:49 AM, David Hopwood ... Mostly correct, but I would not describe ADsafe as implementing Cajita. Cajita was inspired by ADsafe and grew out of...
135
Adam Barth
hk9565
Dec 9, 2007 5:22 pm
... This does point out how easy it is for a web site using ADsafe to accidentally give away its security by modifying the prototype of Object (and possibly...
134
Mark Miller
capsecure
Dec 9, 2007 4:11 pm
... Jeez, my mistake again. I saw http://ejohn.org/apps/adsafe/valueOf.html pop up an "uh oh" alert, did a view source, saw the above text, pasted in into...
133
Douglas Crockford
douglascrock...
Dec 9, 2007 12:54 pm
... I don't understand this. What is bind in this example? When I ran it in FireFox 2.0.0.11, it reported 'obj.test.bind is not a function'....
132
Mark Miller
capsecure
Dec 9, 2007 6:46 am
... Never mind. I just ran it through JSLint, tried it, and looked at it again: (function(){ var obj = {}; obj.test = obj.valueOf; obj.valueOf = function(){...
131
Mark Miller
capsecure
Dec 9, 2007 6:24 am
... Hi John, I just talked to Crock. We're all agreed that this bug is serious and are relieved that it will be fixed in an upcoming Firefox release. However,...
130
Douglas Crockford
douglascrock...
Dec 3, 2007 1:17 pm
ADsafe does not allow 'call', so foo.call(null) does not pass, but it does allow foo() I think they are calling foo as with new, so it returns this...
129
Bill Frantz
frantz@...
Dec 2, 2007 9:48 pm
{"Fwd: [Caja] Re: [jquery-dev] Re: [Caja] Re: [jquery-dev] Re:" removed from Subject tag for esethitic reasons.} ... One thing people building Javascript...
128
Mark S. Miller
erights@...
Dec 2, 2007 8:22 pm
... Just to be clear: The bug is apparently not expected to be fixed for any FF 2.0.0.x. -- Cheers, --MarkM...
127
Mark Miller
capsecure
Dec 2, 2007 8:14 pm
Successful attack on ADsafe due to a Firefox bug that is fixed in the development trunk, but apparently not expected to appear in a Firefox 2.0.0.x...
126
Mark Miller
capsecure
Dec 2, 2007 8:08 pm
We've previously announced the Caja project <http://code.google.com/p/google-caja/> on cap-talk, e-lang, and The Caplet Group list. Since then, in order to...
125
Alan Karp
alanhkarp
Nov 13, 2007 11:21 pm
From an article in "SOA Advisor" titled "Enterprise Web 2.0, SOA Linkage: Will lack of standards be a hindrance?" by Srinivas Padmanabhuni of InfoSys. (If you...
124
Mike Samuel
mikesamuel
Oct 23, 2007 6:13 pm
... Maybe I'm being horribly unfair to protocol designers, but implementors do. An example is entities in URIs embedded in HTML. <a href="foo?bar=a&baz=b"> is...
123
Larry Masinter
masinter
Oct 23, 2007 3:41 pm
On standards: The benefit of HTTP and XML and HTML is not that they are well-designed protocol and syntax and language, but that there are many different and...
122
Mike Samuel
mikesamuel
Oct 22, 2007 11:15 pm
Ok. I think the time for debate has passed, but it's a slow Monday so I'll bite :) There's a few problems: (1) Documents embed other documents using a melange...
121
Freeman, Tim
timothy_free...
Oct 22, 2007 10:22 pm
... Okay, I'll try to say the obvious here -- although no one individual is responsible, we find ourselves in the middle of a big hacked-up pile of conventions...
120
Mike Samuel
mikesamuel
Oct 22, 2007 4:10 am
... Ok. I think it's useful to make a distinction between the n:1 mappings and the 1:1 mappings. If you're escaping (which I defined as n:1), you have to...
119
Larry Masinter
masinter
Oct 21, 2007 3:55 pm
To answer your direct questions: I don't know any formal definition for "escaping"; except as a part of "encoding"; -- you encode a sequence of bytes into (a...
118
Mike Samuel
mikesamuel
Oct 20, 2007 5:30 am
... I still don't understand. My reading of the spec says that the first sequence of characters is in ASCII. If that's the case, then an HTML validator should...
117
David Hopwood
david.hopwood@...
Oct 20, 2007 4:34 am
... URIs are sequences of characters that encode a sequence of bytes, which *may* in turn encode a sequence of Unicode characters. For URIs that have some...
116
Adam Barth
hk9565
Oct 19, 2007 9:17 pm
... It seems to be accepting lots of invalid HTML. For example, the simple <iframe xx="yy"></iframe> seems to pass, whereas http://validator.w3.org/check...
115
Mike Samuel
mikesamuel
Oct 19, 2007 8:47 pm
Sorry. I was reading 2396 (not 3986) which says An escaped octet is encoded as a character triplet, consisting of the percent character "%" followed by the...
