Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
Not all dangerous dereferences are functions: (function() { var javascript = "javascript"; javascript += ":alert(42)"; ADSAFE.get({}, "__parent__").location =...
I dislike blacklists. See comments on hasOwnProperty below. ... Perhaps exclude.hasOwnProperty(name)? Right now you'll exclude valueOf, though whether that's...
... hasOwnProperty would ... I like the idea of restricting access to the prototype chain. ... I want to control what functions they get access to. Functions...
Douglas Crockford wrote: [...] ... IMHO the rejections should not be silent; they should throw an exception. In any case, I prefer my suggestion to use...
David Hopwood
david.hopwood@...
Oct 4, 2007 1:26 am
67
... Good point. I am now scanning for the presence of any control character. ... JSLint runs in a number of configurations, including Rhino and WSH, which read...
I think I misunderstood your comment below. I meant that, when embedded in an HTML file, the script does indeed produce an error in a browser, but the browser...
If you do want to allow ADsafe JS to be embedded in a script tag, you need to deal with ]]> as well, since the following could be used to throw allert ...
... be ADsafe. ... The usage I was anticipating was that ads would be delivered in individual .js files. Ultimately, I want to banish all in page script. But I...
I have put more limitations on what is tolerated in HTML. I suspect there are more gremlins out there. I am worried about catch(name) clauses. The way that...
No because ]]> can end a CDATA section introduced by the embedding XHTML page which would then allow the embedding script to play tricks with entities that...
catch is problematic. Below is my writeup of scoping re catch. If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch...
Another situation you may or may not have considered is the following: (function(){ throw "hi!"; })(); This brings up the issue of what exactly is ADsafe...
I have relaxed the rules on words. $ and leading _ are permitted. A trailing __ is forbidden. This change makes ADsafe a subset of another safe JavaScript...
... As of today, I was able to tell Crock about this other safe Javascript subset. And I can tell you folks as well. It's called "Caja". We will be open...
Mark S. Miller
erights@...
Oct 10, 2007 12:30 am
81
Let's refer to a Javascript function that mentions 'this' as a Javascript method. When a Javascript method is called as a function, it's 'this' gets bound to...
Mark S. Miller
erights@...
Oct 10, 2007 12:49 am
82
I was not able to reproduce this behavior. I tried this URL: javascript:(function(){alert(window===this);}).call(null); I got an alert of "true" on Firefox...
... Hi Colin, I'm using Firefox 2.0.0.7 on a Mac-x86. When I try your javascript: url I get also get a true. But when I use the squarefree shell bookmarklet, I...
Mark S. Miller
erights@...
Oct 10, 2007 4:01 am
84
... It got bound to your shell window (try defining "function foo() { this.close(); }) and see what happens. Not sure what it gets bound to in the first case -...
Mark, I can't repeat your example under the squarefree shell on FF2.0.0.7 on Linux. And I can't reproduce by playing around with 'with' blocks, window ...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
