Consider the following JavaScript source: [ /[/]/ /foo]/ + bar According to the ES3 spec, this is interpreted as: [ new RegExp("[") ] / new RegExp("foo]") +...
David-Sarah Hopwood
david.hopwood@...
Feb 9, 2009 5:16 pm
272
From what I remember this started out as a bug in IE and then Firefox followed suit for compatibility which left the other browsers with no choice. I can't...
... No, other browsers followed suit first. ... https://bugzilla.mozilla.org/show_bug.cgi?id=309840 Quoting from comment 0: Description From Jesse Ruderman...
... ADsafe rejects [ /[/]/ /foo]/ + bar. Just because ECMAScript says its ok doesn't mean that ADsafe must. ADsafe insists that all internal / must have \....
No need to apologize, and I did not aim to blame Opera or Safari in citing the record. This was not a situation where anyone fielding a browser compatible...
... I could, if I knew that there were no more bugs like this. Note that lexical confusion attacks of this kind can easily be turned into complete breaks of a...
David-Sarah Hopwood
david.hopwood@...
Feb 10, 2009 2:12 pm
279
... <https://bugzilla.mozilla.org/show_bug.cgi?id=309840#c12> # This fixes a highly dup'ed IE compatibility bug. It's an extension # to ECMA syntax that's...
David-Sarah Hopwood
david.hopwood@...
Feb 10, 2009 2:34 pm
280
... I'm confused -- how does it know that the middle '/' in "/[/]/" is "internal"? Is it lexing according to the intersection of Pattern from section 15.10.1,...
David-Sarah Hopwood
david.hopwood@...
Feb 10, 2009 2:44 pm
281
... You're right, but so what? The IE bug and monopoly combined to create a de-facto standard. Appealing to the de-jure standard does you no good, and...
... Plenty. But I suspect you know of them. There's conditional compilation comments /* @cc_on */, and there's the newlines in block comments thing return /*...
... Fixed in Firefox 3.1 beta nightlies: https://bugzilla.mozilla.org/show_bug.cgi?id=475834 We could push the fix back into a 3.0.x maintenance release if it ...
Suppose that S is a Unicode string in which each character matches ValidChar below, not containing the subsequences "<!", "</" or "]]>", and not containing...
David-Sarah Hopwood
david.hopwood@...
Feb 16, 2009 3:16 pm
285
No, I'm not paranoid enough yet. It's not sufficient only to say that the HTML is encoded as UTF-8 (see below). David-Sarah Hopwood wrote: [...] ... I meant,...
David-Sarah Hopwood
david.hopwood@...
Feb 16, 2009 4:29 pm
286
2009/2/16 David-Sarah Hopwood <david.hopwood@...> ... So no surrogates? ... Why include FFEF? ... You may still be subject to encoding...
... Correct. They're not characters (or even "noncharacters"). ... It's unassigned, and there's no particular reason to exclude it. (\uFFF0-\uFFF8 are also...
David-Sarah Hopwood
david.hopwood@...
Feb 17, 2009 11:13 am
288
... Isn't it the reflection of fffe, the byte-order-marker. This is probably a very minor issue, but if one part of a parser naively delegates to another...
... [...] ... No, \uFEFF is the BOM, and its byte-reflection \uFFFE is a noncharacter, so already excluded from ValidChar. (Thought you'd spotted something I'd...
This is announcement of the call for papers for the third in a series of successful workshops on topics related to security and privacy for Web 2.0. This...
I added +tagName to the ADsafe query language. It selects the immediate sibling, so dom.q("h1+p") selects all of the <p> that immediately follow an <h1>....
Doug, Do you know whether you will have time in the next few days (before March 25) to review a few of the papers submitted to W2SP this year? There are a few...
This workshop may be of interest to subscribers of this mailing list Web 2.0 Security & Privacy 2009 Claremont Resort in Oakland, California May 21, 2009 ...
Reminder: One week until the workshop. Web 2.0 Security & Privacy 2009 Claremont Resort in Oakland, California May 21, 2009 http://w2spconf.com/2009/ The goal...
... From: Mark S. Miller <erights@...> Date: Tue, May 19, 2009 at 7:52 PM Subject: Techtalk on EcmaScript 5 To: "es5-discuss@..."...
Mark S. Miller
erights@...
May 20, 2009 3:00 am
297
I slimmed down the ADsafe banned list. These are the names of members that may not be accessed. This list is now: arguments callee caller constructor eval ...
... I do not understand the value in preventing information leaks here. What is the hazard? I am considering the blocking of try/catch in ADsafe. I am...
On Sun, May 24, 2009 at 7:49 AM, Douglas Crockford ... Javascript's catch is also problematic since it enables catching of stack overflow and out of memory...
... I'd like to know too -- you can throw an object that you could return, so that's not it. Is it the ES3 spec bug, not implemented by many browsers, where...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
