caplet : Messages : 42-71 of 349

Messages: Simplify \| Expand		Author	Sort by Date

71		Mike Samuel mikesamuel	Oct 4, 2007 8:37 am
	If you do want to allow ADsafe JS to be embedded in a script tag, you need to deal with ]]> as well, since the following could be used to throw allert ...
70		Adam Barth hk9565	Oct 4, 2007 5:11 am
	I think I misunderstood your comment below. I meant that, when embedded in an HTML file, the script does indeed produce an error in a browser, but the browser...
69		Adam Barth hk9565	Oct 4, 2007 3:55 am
	... When embedded in HTML, it calls alert (at least in IE7 and Firefox 2): http://crypto.stanford.edu/~abarth/jslint/parse.html Adam...
68		Douglas Crockford douglascrock...	Oct 4, 2007 3:33 am
	... In a .js file, it is harmless. In an .html file, it produces an error....
67		Douglas Crockford douglascrock...	Oct 4, 2007 3:29 am
	... Good point. I am now scanning for the presence of any control character. ... JSLint runs in a number of configurations, including Rhino and WSH, which read...
66		David Hopwood david.hopwood@...	Oct 4, 2007 1:26 am
	Douglas Crockford wrote: [...] ... IMHO the rejections should not be silent; they should throw an exception. In any case, I prefer my suggestion to use...
65		Adam Barth hk9565	Oct 4, 2007 12:32 am
	This seems to get through the filter: (function() { var str = "</script><script>alert('script tags affect parsing')/"; })(); /*/ Adam...
64		collin_jackson	Oct 3, 2007 10:45 pm
	I am concerned about browser differences in the handling of null bytes (and other special characters). Example:...
63		Douglas Crockford douglascrock...	Oct 3, 2007 8:07 pm
	... hasOwnProperty would ... I like the idea of restricting access to the prototype chain. ... I want to control what functions they get access to. Functions...
62		Douglas Crockford douglascrock...	Oct 3, 2007 7:50 pm
	... Good one. I owe you a plate of shrimp....
61		Mike Samuel mikesamuel	Oct 3, 2007 7:09 pm
	I dislike blacklists. See comments on hasOwnProperty below. ... Perhaps exclude.hasOwnProperty(name)? Right now you'll exclude valueOf, though whether that's...
60		collin_jackson	Oct 3, 2007 7:01 pm
	/@cc_on alert("Conditional compilation considered harmful"); @/...
59		Douglas Crockford douglascrock...	Oct 3, 2007 12:40 pm
	This is the definition of ADSAFE.get and ADSAFE.set. var ADSAFE = function () { var exclude = { apply : true, begetObject : true, call...
58		Douglas Crockford douglascrock...	Oct 1, 2007 4:43 pm
	... Quite right. I should have mentioned that get and put will also block the same members that ADsafe blocks, including names starting with _....
57		collin_jackson	Oct 1, 2007 4:29 pm
	Not all dangerous dereferences are functions: (function() { var javascript = "javascript"; javascript += ":alert(42)"; ADSAFE.get({}, "__parent__").location =...
56		Douglas Crockford douglascrock...	Oct 1, 2007 11:45 am
	Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
55		David Hopwood david.hopwood@...	Oct 1, 2007 1:56 am
	... Better: foo.set(bar, foo.get(bar) + 1); and undo the conflation of objects with arrays and dictionaries, by defining 'get' and 'set' only for the latter. ...
54		David Hopwood david.hopwood@...	Oct 1, 2007 1:45 am
	... Why is the ADSAFE object not first-class ("var a = ADSAFE;" fails)? That doesn't seem to be necessary for security. -- David Hopwood...
53		Mike Samuel mikesamuel	Sep 30, 2007 11:57 pm
	or obj[(<arbitrary expression>) \| 0] assuming that 'NaN' is not a sensitive identifier....
52		Mike Samuel mikesamuel	Sep 30, 2007 11:55 pm
	Or you allow an idiom that first asserts that the index is safe ('number' === typeof i) && obj[<expr>] Where expression is allowed to be something that...
51		David Hopwood david.hopwood@...	Sep 30, 2007 11:40 pm
	... This is a case where conciseness matters for the acceptability of the restriction, so I suggest something like: SET(foo, bar, GET(foo, bar) + 1); instead. ...
50		David Hopwood david.hopwood@...	Sep 30, 2007 11:33 pm
	... What is the rule that is being applied to: (function () { var y = 'constructor'; ({}[y])('alert("hi")')(); })(); that provokes an ADsafe restriction, when ...
49		collin_jackson	Sep 30, 2007 11:09 pm
	Square brackets are clearly problematic, as they allow access to eval. I suggest you deny them entirely and (optionally) allow authors use the ADSAFE API to...
48		Mike Samuel mikesamuel	Sep 30, 2007 10:36 pm
	(function () { var x = function () {}; var y = 'constructor'; var z = (x[y]); var w = z('alert("hi")'); w(); })(); cheers, mike...
47		David Hopwood david.hopwood@...	Sep 30, 2007 10:33 pm
	... If I submit anything starting with: <!-- I get the error: Problem at line NaN character NaN: stack has no properties I suspect that the 'NaN's here are...
46		Mike Samuel mikesamuel	Sep 30, 2007 10:32 pm
	And Object.eval isn't present on all browsers, so it breaks the rules but I thought I'd mention it: (function () { var x = {}; var y = 'evaluate'.substring(0,...
45		Norman Hardy fosdf	Sep 30, 2007 7:03 pm
	... Bravo! It would be elegant and possibly easy to annotate each warning with a category where the categories are those listed in the options box below. A...
44		Douglas Crockford douglascrock...	Sep 30, 2007 4:52 pm
	JSLint.com contains an ADsafe feature. Its intent is to enforce a safe subset of JavaScript for use in ads and widgets. ADsafe requires no transformations. It...
43		Mark Miller capsecure	Sep 19, 2007 11:10 pm
	... From: Mark Miller <erights@...> Date: Sep 19, 2007 4:05 PM Subject: Techtalk by Doug Crockford on "Gears and the Mashup Problem" To: "General...
42		Mark Miller capsecure	Sep 2, 2007 2:05 am
	... From: Douglas Crockford <douglas@...> Date: Sep 1, 2007 4:42 PM Subject: [json] JSONRequest for Firefox To: json@yahoogroups.com Collin Jackson...

Yahoo! Groups

Breaking News Visit Yahoo! News for the latest.

The Yahoo! Groups Product Blog

Check it out!

Group Information

Yahoo! Groups Tips

Did you know...

Messages