I think I misunderstood your comment below. I meant that, when embedded in an HTML file, the script does indeed produce an error in a browser, but the browser...
If you do want to allow ADsafe JS to be embedded in a script tag, you need to deal with ]]> as well, since the following could be used to throw allert ...
... be ADsafe. ... The usage I was anticipating was that ads would be delivered in individual .js files. Ultimately, I want to banish all in page script. But I...
I have put more limitations on what is tolerated in HTML. I suspect there are more gremlins out there. I am worried about catch(name) clauses. The way that...
No because ]]> can end a CDATA section introduced by the embedding XHTML page which would then allow the embedding script to play tricks with entities that...
catch is problematic. Below is my writeup of scoping re catch. If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch...
Another situation you may or may not have considered is the following: (function(){ throw "hi!"; })(); This brings up the issue of what exactly is ADsafe...
I have relaxed the rules on words. $ and leading _ are permitted. A trailing __ is forbidden. This change makes ADsafe a subset of another safe JavaScript...
80
Mark S. Miller
erights@...
Oct 10, 2007 12:30 am
... As of today, I was able to tell Crock about this other safe Javascript subset. And I can tell you folks as well. It's called "Caja". We will be open...
81
Mark S. Miller
erights@...
Oct 10, 2007 12:49 am
Let's refer to a Javascript function that mentions 'this' as a Javascript method. When a Javascript method is called as a function, it's 'this' gets bound to...
I was not able to reproduce this behavior. I tried this URL: javascript:(function(){alert(window===this);}).call(null); I got an alert of "true" on Firefox...
83
Mark S. Miller
erights@...
Oct 10, 2007 4:01 am
... Hi Colin, I'm using Firefox 2.0.0.7 on a Mac-x86. When I try your javascript: url I get also get a true. But when I use the squarefree shell bookmarklet, I...
... It got bound to your shell window (try defining "function foo() { this.close(); }) and see what happens. Not sure what it gets bound to in the first case -...
Mark, I can't repeat your example under the squarefree shell on FF2.0.0.7 on Linux. And I can't reproduce by playing around with 'with' blocks, window ...
I believe the squarefree shell executes shell commands like with (shellScope) { eval(shellCommand); } If shellScope uses window as its prototype then it'd...
It seems that call and apply's behavior, in this regard, is browser dependent. The following var o = { valueOf: function () { return null }, toString: function...
88
Mark S. Miller
erights@...
Oct 10, 2007 9:15 pm
... I've just repeated it on FF2.0.0.7 on Linux. For all the tests I've done on both, I haven't yet seen any difference between FF on Linux vs. Mac. Ben's msg...
To make sure I'm clear, you're using the square free bookmarklet (the first entry, [shell], at http://www.squarefree.com/bookmarklets/webdevel.html) not ...
The reason for this is in the first line of the bookmarklet with(window.open(...)) { ... } Each window object has an eponymous property, 'window'. This 'with'...
The below causes the same symptoms in both squarefree shells: var f = document.createElement('iframe'); document.body.appendChild(f); with (f.contentWindow) { ...
Caja is hereby open source under the Apache license 2.0. The Caja development site is at http://code.google.com/p/google-caja/ The initial draft design doc is...
The next step is to secure HTML fragments. JSLint has an HTML fragment option. When used with ADsafe, it will accept a <div> or <iframe> and its contents. It...
