Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
57
collin_jackson
Oct 1, 2007 4:29 pm
Not all dangerous dereferences are functions: (function() { var javascript = "javascript"; javascript += ":alert(42)"; ADSAFE.get({}, "__parent__").location =...
58
Douglas Crockford
douglascrock...
Oct 1, 2007 4:43 pm
... Quite right. I should have mentioned that get and put will also block the same members that ADsafe blocks, including names starting with _....
59
Douglas Crockford
douglascrock...
Oct 3, 2007 12:40 pm
This is the definition of ADSAFE.get and ADSAFE.set. var ADSAFE = function () { var exclude = { apply : true, begetObject : true, call...
60
collin_jackson
Oct 3, 2007 7:01 pm
/*@cc_on alert("Conditional compilation considered harmful"); @*/...
61
Mike Samuel
mikesamuel
Oct 3, 2007 7:09 pm
I dislike blacklists. See comments on hasOwnProperty below. ... Perhaps exclude.hasOwnProperty(name)? Right now you'll exclude valueOf, though whether that's...
62
Douglas Crockford
douglascrock...
Oct 3, 2007 7:50 pm
... Good one. I owe you a plate of shrimp....
63
Douglas Crockford
douglascrock...
Oct 3, 2007 8:07 pm
... hasOwnProperty would ... I like the idea of restricting access to the prototype chain. ... I want to control what functions they get access to. Functions...
64
collin_jackson
Oct 3, 2007 10:45 pm
I am concerned about browser differences in the handling of null bytes (and other special characters). Example:...
65
Adam Barth
hk9565
Oct 4, 2007 12:32 am
This seems to get through the filter: (function() { var str = "</script><script>alert('script tags affect parsing')/*"; })(); /**/ Adam...
66
David Hopwood
david.hopwood@...
Oct 4, 2007 1:26 am
Douglas Crockford wrote: [...] ... IMHO the rejections should not be silent; they should throw an exception. In any case, I prefer my suggestion to use...
67
Douglas Crockford
douglascrock...
Oct 4, 2007 3:29 am
... Good point. I am now scanning for the presence of any control character. ... JSLint runs in a number of configurations, including Rhino and WSH, which read...
68
Douglas Crockford
douglascrock...
Oct 4, 2007 3:33 am
... In a .js file, it is harmless. In an .html file, it produces an error....
69
Adam Barth
hk9565
Oct 4, 2007 3:55 am
... When embedded in HTML, it calls alert (at least in IE7 and Firefox 2): http://crypto.stanford.edu/~abarth/jslint/parse.html Adam...
70
Adam Barth
hk9565
Oct 4, 2007 5:11 am
I think I misunderstood your comment below. I meant that, when embedded in an HTML file, the script does indeed produce an error in a browser, but the browser...
71
Mike Samuel
mikesamuel
Oct 4, 2007 8:37 am
If you do want to allow ADsafe JS to be embedded in a script tag, you need to deal with ]]> as well, since the following could be used to throw allert ...
72
Douglas Crockford
douglascrock...
Oct 4, 2007 1:02 pm
... be ADsafe. ... The usage I was anticipating was that ads would be delivered in individual .js files. Ultimately, I want to banish all in page script. But I...
73
Douglas Crockford
douglascrock...
Oct 4, 2007 1:16 pm
... you need ... alert Is it sufficient to disallow <![ ?...
74
Douglas Crockford
douglascrock...
Oct 4, 2007 1:32 pm
I have put more limitations on what is tolerated in HTML. I suspect there are more gremlins out there. I am worried about catch(name) clauses. The way that...
75
Mike Samuel
mikesamuel
Oct 4, 2007 5:35 pm
No because ]]> can end a CDATA section introduced by the embedding XHTML page which would then allow the embedding script to play tricks with entities that...
76
Mike Samuel
mikesamuel
Oct 4, 2007 6:46 pm
catch is problematic. Below is my writeup of scoping re catch. If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch...
77
Adam Barth
hk9565
Oct 6, 2007 6:56 pm
Another situation you may or may not have considered is the following: (function(){ throw "hi!"; })(); This brings up the issue of what exactly is ADsafe...
78
Douglas Crockford
douglascrock...
Oct 9, 2007 11:25 pm
... Does any browser include object references or functions in its exception objects?...
79
Douglas Crockford
douglascrock...
Oct 9, 2007 11:28 pm
I have relaxed the rules on words. $ and leading _ are permitted. A trailing __ is forbidden. This change makes ADsafe a subset of another safe JavaScript...
80
Mark S. Miller
erights@...
Oct 10, 2007 12:30 am
... As of today, I was able to tell Crock about this other safe Javascript subset. And I can tell you folks as well. It's called "Caja". We will be open...
81
Mark S. Miller
erights@...
Oct 10, 2007 12:49 am
Let's refer to a Javascript function that mentions 'this' as a Javascript method. When a Javascript method is called as a function, it's 'this' gets bound to...
82
collin_jackson
Oct 10, 2007 1:49 am
I was not able to reproduce this behavior. I tried this URL: javascript:(function(){alert(window===this);}).call(null); I got an alert of "true" on Firefox...
83
Mark S. Miller
erights@...
Oct 10, 2007 4:01 am
... Hi Colin, I'm using Firefox 2.0.0.7 on a Mac-x86. When I try your javascript: url I get also get a true. But when I use the squarefree shell bookmarklet, I...
84
Ben Laurie
benlaurie2000
Oct 10, 2007 9:21 am
... It got bound to your shell window (try defining "function foo() { this.close(); }) and see what happens. Not sure what it gets bound to in the first case -...
85
Mike Samuel
mikesamuel
Oct 10, 2007 1:23 pm
Mark, I can't repeat your example under the squarefree shell on FF2.0.0.7 on Linux. And I can't reproduce by playing around with 'with' blocks, window ...
