Douglas Crockford wrote: [...] ... IMHO the rejections should not be silent; they should throw an exception. In any case, I prefer my suggestion to use...
65
Adam Barth
hk9565
Oct 4, 2007 12:32 am
This seems to get through the filter: (function() { var str = "</script><script>alert('script tags affect parsing')/*"; })(); /**/ Adam...
64
collin_jackson
Oct 3, 2007 10:45 pm
I am concerned about browser differences in the handling of null bytes (and other special characters). Example:...
63
Douglas Crockford
douglascrock...
Oct 3, 2007 8:07 pm
... hasOwnProperty would ... I like the idea of restricting access to the prototype chain. ... I want to control what functions they get access to. Functions...
62
Douglas Crockford
douglascrock...
Oct 3, 2007 7:50 pm
... Good one. I owe you a plate of shrimp....
61
Mike Samuel
mikesamuel
Oct 3, 2007 7:09 pm
I dislike blacklists. See comments on hasOwnProperty below. ... Perhaps exclude.hasOwnProperty(name)? Right now you'll exclude valueOf, though whether that's...
60
collin_jackson
Oct 3, 2007 7:01 pm
/*@cc_on alert("Conditional compilation considered harmful"); @*/...
59
Douglas Crockford
douglascrock...
Oct 3, 2007 12:40 pm
This is the definition of ADSAFE.get and ADSAFE.set. var ADSAFE = function () { var exclude = { apply : true, begetObject : true, call...
58
Douglas Crockford
douglascrock...
Oct 1, 2007 4:43 pm
... Quite right. I should have mentioned that get and put will also block the same members that ADsafe blocks, including names starting with _....
57
collin_jackson
Oct 1, 2007 4:29 pm
Not all dangerous dereferences are functions: (function() { var javascript = "javascript"; javascript += ":alert(42)"; ADSAFE.get({}, "__parent__").location =...
56
Douglas Crockford
douglascrock...
Oct 1, 2007 11:45 am
Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
55
David Hopwood
david.hopwood@...
Oct 1, 2007 1:56 am
... Better: foo.set(bar, foo.get(bar) + 1); and undo the conflation of objects with arrays and dictionaries, by defining 'get' and 'set' only for the latter. ...
54
David Hopwood
david.hopwood@...
Oct 1, 2007 1:45 am
... Why is the ADSAFE object not first-class ("var a = ADSAFE;" fails)? That doesn't seem to be necessary for security. -- David Hopwood...
53
Mike Samuel
mikesamuel
Sep 30, 2007 11:57 pm
or obj[(<arbitrary expression>) | 0] assuming that 'NaN' is not a sensitive identifier....
52
Mike Samuel
mikesamuel
Sep 30, 2007 11:55 pm
Or you allow an idiom that first asserts that the index is safe ('number' === typeof i) && obj[<expr>] Where expression is allowed to be something that...
51
David Hopwood
david.hopwood@...
Sep 30, 2007 11:40 pm
... This is a case where conciseness matters for the acceptability of the restriction, so I suggest something like: SET(foo, bar, GET(foo, bar) + 1); instead. ...
50
David Hopwood
david.hopwood@...
Sep 30, 2007 11:33 pm
... What is the rule that is being applied to: (function () { var y = 'constructor'; ({}[y])('alert("hi")')(); })(); that provokes an ADsafe restriction, when ...
49
collin_jackson
Sep 30, 2007 11:09 pm
Square brackets are clearly problematic, as they allow access to eval. I suggest you deny them entirely and (optionally) allow authors use the ADSAFE API to...
48
Mike Samuel
mikesamuel
Sep 30, 2007 10:36 pm
(function () { var x = function () {}; var y = 'constructor'; var z = (x[y]); var w = z('alert("hi")'); w(); })(); cheers, mike...
47
David Hopwood
david.hopwood@...
Sep 30, 2007 10:33 pm
... If I submit anything starting with: <!-- I get the error: Problem at line NaN character NaN: stack has no properties I suspect that the 'NaN's here are...
46
Mike Samuel
mikesamuel
Sep 30, 2007 10:32 pm
And Object.eval isn't present on all browsers, so it breaks the rules but I thought I'd mention it: (function () { var x = {}; var y = 'evaluate'.substring(0,...
45
Norman Hardy
fosdf
Sep 30, 2007 7:03 pm
... Bravo! It would be elegant and possibly easy to annotate each warning with a category where the categories are those listed in the options box below. A...
44
Douglas Crockford
douglascrock...
Sep 30, 2007 4:52 pm
JSLint.com contains an ADsafe feature. Its intent is to enforce a safe subset of JavaScript for use in ads and widgets. ADsafe requires no transformations. It...
43
Mark Miller
capsecure
Sep 19, 2007 11:10 pm
... From: Mark Miller <erights@...> Date: Sep 19, 2007 4:05 PM Subject: Techtalk by Doug Crockford on "Gears and the Mashup Problem" To: "General...
42
Mark Miller
capsecure
Sep 2, 2007 2:05 am
... From: Douglas Crockford <douglas@...> Date: Sep 1, 2007 4:42 PM Subject: [json] JSONRequest for Firefox To: json@yahoogroups.com Collin Jackson...
41
Douglas Crockford
douglascrock...
Aug 30, 2007 5:02 pm
Google is continuing to do some really interesting stuff. http://ajaxian.com/archives/google-gears-02-developer-release...
40
Mark Miller
capsecure
Aug 20, 2007 4:03 pm
The Waterken server itself can be downloaded from http://sourceforge.net/projects/waterken/ The core of the Javascript library that provides the API for...
39
Mark Miller
capsecure
Aug 20, 2007 3:24 pm
The Waterken server is itself built in Joe-E and provides distributed capability-based interaction for Joe-E objects via an https/json based crypto capability...
38
Mark Miller
capsecure
Aug 20, 2007 3:16 pm
Tyler's "Bang Tutorial" <http://waterken.sourceforge.net/bang/> is the right place to start to understand the Javscript library used on the client to talk to...
37
Freeman, Tim
timothy_free...
Jul 19, 2007 8:59 pm
... That would be a good way to avoid the latency, if it works. Does anyone know what sort of functionality can be delivered that way? ... Tim Freeman Email:...
