... From: Douglas Crockford <douglas@...> Date: Sep 1, 2007 4:42 PM Subject: [json] JSONRequest for Firefox To: json@yahoogroups.com Collin Jackson...
43
Mark Miller
capsecure
Sep 19, 2007 11:10 pm
... From: Mark Miller <erights@...> Date: Sep 19, 2007 4:05 PM Subject: Techtalk by Doug Crockford on "Gears and the Mashup Problem" To: "General...
44
Douglas Crockford
douglascrock...
Sep 30, 2007 4:52 pm
JSLint.com contains an ADsafe feature. Its intent is to enforce a safe subset of JavaScript for use in ads and widgets. ADsafe requires no transformations. It...
45
Norman Hardy
fosdf
Sep 30, 2007 7:03 pm
... Bravo! It would be elegant and possibly easy to annotate each warning with a category where the categories are those listed in the options box below. A...
46
Mike Samuel
mikesamuel
Sep 30, 2007 10:32 pm
And Object.eval isn't present on all browsers, so it breaks the rules but I thought I'd mention it: (function () { var x = {}; var y = 'evaluate'.substring(0,...
47
David Hopwood
david.hopwood@...
Sep 30, 2007 10:33 pm
... If I submit anything starting with: <!-- I get the error: Problem at line NaN character NaN: stack has no properties I suspect that the 'NaN's here are...
48
Mike Samuel
mikesamuel
Sep 30, 2007 10:36 pm
(function () { var x = function () {}; var y = 'constructor'; var z = (x[y]); var w = z('alert("hi")'); w(); })(); cheers, mike...
49
collin_jackson
Sep 30, 2007 11:09 pm
Square brackets are clearly problematic, as they allow access to eval. I suggest you deny them entirely and (optionally) allow authors use the ADSAFE API to...
50
David Hopwood
david.hopwood@...
Sep 30, 2007 11:33 pm
... What is the rule that is being applied to: (function () { var y = 'constructor'; ({}[y])('alert("hi")')(); })(); that provokes an ADsafe restriction, when ...
51
David Hopwood
david.hopwood@...
Sep 30, 2007 11:40 pm
... This is a case where conciseness matters for the acceptability of the restriction, so I suggest something like: SET(foo, bar, GET(foo, bar) + 1); instead. ...
52
Mike Samuel
mikesamuel
Sep 30, 2007 11:55 pm
Or you allow an idiom that first asserts that the index is safe ('number' === typeof i) && obj[<expr>] Where expression is allowed to be something that...
53
Mike Samuel
mikesamuel
Sep 30, 2007 11:57 pm
or obj[(<arbitrary expression>) | 0] assuming that 'NaN' is not a sensitive identifier....
54
David Hopwood
david.hopwood@...
Oct 1, 2007 1:45 am
... Why is the ADSAFE object not first-class ("var a = ADSAFE;" fails)? That doesn't seem to be necessary for security. -- David Hopwood...
55
David Hopwood
david.hopwood@...
Oct 1, 2007 1:56 am
... Better: foo.set(bar, foo.get(bar) + 1); and undo the conflation of objects with arrays and dictionaries, by defining 'get' and 'set' only for the latter. ...
56
Douglas Crockford
douglascrock...
Oct 1, 2007 11:45 am
Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
57
collin_jackson
Oct 1, 2007 4:29 pm
Not all dangerous dereferences are functions: (function() { var javascript = "javascript"; javascript += ":alert(42)"; ADSAFE.get({}, "__parent__").location =...
58
Douglas Crockford
douglascrock...
Oct 1, 2007 4:43 pm
... Quite right. I should have mentioned that get and put will also block the same members that ADsafe blocks, including names starting with _....
59
Douglas Crockford
douglascrock...
Oct 3, 2007 12:40 pm
This is the definition of ADSAFE.get and ADSAFE.set. var ADSAFE = function () { var exclude = { apply : true, begetObject : true, call...
60
collin_jackson
Oct 3, 2007 7:01 pm
/*@cc_on alert("Conditional compilation considered harmful"); @*/...
61
Mike Samuel
mikesamuel
Oct 3, 2007 7:09 pm
I dislike blacklists. See comments on hasOwnProperty below. ... Perhaps exclude.hasOwnProperty(name)? Right now you'll exclude valueOf, though whether that's...
62
Douglas Crockford
douglascrock...
Oct 3, 2007 7:50 pm
... Good one. I owe you a plate of shrimp....
63
Douglas Crockford
douglascrock...
Oct 3, 2007 8:07 pm
... hasOwnProperty would ... I like the idea of restricting access to the prototype chain. ... I want to control what functions they get access to. Functions...
64
collin_jackson
Oct 3, 2007 10:45 pm
I am concerned about browser differences in the handling of null bytes (and other special characters). Example:...
65
Adam Barth
hk9565
Oct 4, 2007 12:32 am
This seems to get through the filter: (function() { var str = "</script><script>alert('script tags affect parsing')/*"; })(); /**/ Adam...
66
David Hopwood
david.hopwood@...
Oct 4, 2007 1:26 am
Douglas Crockford wrote: [...] ... IMHO the rejections should not be silent; they should throw an exception. In any case, I prefer my suggestion to use...
67
Douglas Crockford
douglascrock...
Oct 4, 2007 3:29 am
... Good point. I am now scanning for the presence of any control character. ... JSLint runs in a number of configurations, including Rhino and WSH, which read...
68
Douglas Crockford
douglascrock...
Oct 4, 2007 3:33 am
... In a .js file, it is harmless. In an .html file, it produces an error....
69
Adam Barth
hk9565
Oct 4, 2007 3:55 am
... When embedded in HTML, it calls alert (at least in IE7 and Firefox 2): http://crypto.stanford.edu/~abarth/jslint/parse.html Adam...
70
Adam Barth
hk9565
Oct 4, 2007 5:11 am
I think I misunderstood your comment below. I meant that, when embedded in an HTML file, the script does indeed produce an error in a browser, but the browser...
71
Mike Samuel
mikesamuel
Oct 4, 2007 8:37 am
If you do want to allow ADsafe JS to be embedded in a script tag, you need to deal with ]]> as well, since the following could be used to throw allert ...
