Douglas Crockford wrote: [...] ... IMHO the rejections should not be silent; they should throw an exception. In any case, I prefer my suggestion to use...
67
Douglas Crockford
douglascrock...
Oct 4, 2007 3:29 am
... Good point. I am now scanning for the presence of any control character. ... JSLint runs in a number of configurations, including Rhino and WSH, which read...
68
Douglas Crockford
douglascrock...
Oct 4, 2007 3:33 am
... In a .js file, it is harmless. In an .html file, it produces an error....
69
Adam Barth
hk9565
Oct 4, 2007 3:55 am
... When embedded in HTML, it calls alert (at least in IE7 and Firefox 2): http://crypto.stanford.edu/~abarth/jslint/parse.html Adam...
70
Adam Barth
hk9565
Oct 4, 2007 5:11 am
I think I misunderstood your comment below. I meant that, when embedded in an HTML file, the script does indeed produce an error in a browser, but the browser...
71
Mike Samuel
mikesamuel
Oct 4, 2007 8:37 am
If you do want to allow ADsafe JS to be embedded in a script tag, you need to deal with ]]> as well, since the following could be used to throw allert ...
72
Douglas Crockford
douglascrock...
Oct 4, 2007 1:02 pm
... be ADsafe. ... The usage I was anticipating was that ads would be delivered in individual .js files. Ultimately, I want to banish all in page script. But I...
73
Douglas Crockford
douglascrock...
Oct 4, 2007 1:16 pm
... you need ... alert Is it sufficient to disallow <![ ?...
74
Douglas Crockford
douglascrock...
Oct 4, 2007 1:32 pm
I have put more limitations on what is tolerated in HTML. I suspect there are more gremlins out there. I am worried about catch(name) clauses. The way that...
75
Mike Samuel
mikesamuel
Oct 4, 2007 5:35 pm
No because ]]> can end a CDATA section introduced by the embedding XHTML page which would then allow the embedding script to play tricks with entities that...
76
Mike Samuel
mikesamuel
Oct 4, 2007 6:46 pm
catch is problematic. Below is my writeup of scoping re catch. If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch...
77
Adam Barth
hk9565
Oct 6, 2007 6:56 pm
Another situation you may or may not have considered is the following: (function(){ throw "hi!"; })(); This brings up the issue of what exactly is ADsafe...
78
Douglas Crockford
douglascrock...
Oct 9, 2007 11:25 pm
... Does any browser include object references or functions in its exception objects?...
79
Douglas Crockford
douglascrock...
Oct 9, 2007 11:28 pm
I have relaxed the rules on words. $ and leading _ are permitted. A trailing __ is forbidden. This change makes ADsafe a subset of another safe JavaScript...
80
Mark S. Miller
erights@...
Oct 10, 2007 12:30 am
... As of today, I was able to tell Crock about this other safe Javascript subset. And I can tell you folks as well. It's called "Caja". We will be open...
81
Mark S. Miller
erights@...
Oct 10, 2007 12:49 am
Let's refer to a Javascript function that mentions 'this' as a Javascript method. When a Javascript method is called as a function, it's 'this' gets bound to...
82
collin_jackson
Oct 10, 2007 1:49 am
I was not able to reproduce this behavior. I tried this URL: javascript:(function(){alert(window===this);}).call(null); I got an alert of "true" on Firefox...
83
Mark S. Miller
erights@...
Oct 10, 2007 4:01 am
... Hi Colin, I'm using Firefox 2.0.0.7 on a Mac-x86. When I try your javascript: url I get also get a true. But when I use the squarefree shell bookmarklet, I...
84
Ben Laurie
benlaurie2000
Oct 10, 2007 9:21 am
... It got bound to your shell window (try defining "function foo() { this.close(); }) and see what happens. Not sure what it gets bound to in the first case -...
85
Mike Samuel
mikesamuel
Oct 10, 2007 1:23 pm
Mark, I can't repeat your example under the squarefree shell on FF2.0.0.7 on Linux. And I can't reproduce by playing around with 'with' blocks, window ...
86
Mike Samuel
mikesamuel
Oct 10, 2007 1:24 pm
I believe the squarefree shell executes shell commands like with (shellScope) { eval(shellCommand); } If shellScope uses window as its prototype then it'd...
87
Mike Samuel
mikesamuel
Oct 10, 2007 1:24 pm
It seems that call and apply's behavior, in this regard, is browser dependent. The following var o = { valueOf: function () { return null }, toString: function...
88
Mark S. Miller
erights@...
Oct 10, 2007 9:15 pm
... I've just repeated it on FF2.0.0.7 on Linux. For all the tests I've done on both, I haven't yet seen any difference between FF on Linux vs. Mac. Ben's msg...
89
Mike Samuel
mikesamuel
Oct 10, 2007 9:42 pm
To make sure I'm clear, you're using the square free bookmarklet (the first entry, [shell], at http://www.squarefree.com/bookmarklets/webdevel.html) not ...
90
Mark Miller
capsecure
Oct 10, 2007 9:50 pm
... Yes exactly. -- Text by me above is hereby placed in the public domain Cheers, --MarkM...
91
Mike Samuel
mikesamuel
Oct 10, 2007 9:51 pm
The reason for this is in the first line of the bookmarklet with(window.open(...)) { ... } Each window object has an eponymous property, 'window'. This 'with'...
92
Mike Samuel
mikesamuel
Oct 10, 2007 9:55 pm
... err assigning window to this -> assigning window to this.window cross-domain thing though. window's are manipulable across domain since a...
93
Mike Samuel
mikesamuel
Oct 10, 2007 10:30 pm
The below causes the same symptoms in both squarefree shells: var f = document.createElement('iframe'); document.body.appendChild(f); with (f.contentWindow) { ...
94
Mark Miller
capsecure
Oct 12, 2007 1:41 am
Caja is hereby open source under the Apache license 2.0. The Caja development site is at http://code.google.com/p/google-caja/ The initial draft design doc is...
95
Douglas Crockford
douglascrock...
Oct 17, 2007 12:39 am
The next step is to secure HTML fragments. JSLint has an HTML fragment option. When used with ADsafe, it will accept a <div> or <iframe> and its contents. It...
