[Arg, forgot to check the linked page before sending; turns out it
doesn't have enough examples. Added a note to the page.]
Actually, it's a lot worse than that, and it's trivial for someone to
make a variable that was quite malicious indeed: see
On Sun, Feb 28, 2010 at 9:49 AM, cc carlcl...@lavabit.com wrote:
[Arg, forgot to check the linked page before sending; turns out it doesn't
have enough examples. Added a note to the page.]
Actually, it's a lot worse than that, and it's trivial for someone to make a
variable that was quite
On Sun, Feb 28, 2010 at 12:48 AM, Sam qufigh...@gmail.com wrote:
You could test for
strange contents and reject it, make sure it's a string by using
var myval = new String(unsafeWindow.tehvariable) or you could try using
typeof(unsafeWindow.tehvariable)=='string' possibly to avoid issues,
On 2010-02-28 00:57, esquifit wrote:
On Sun, Feb 28, 2010 at 9:49 AM, cccarlcl...@lavabit.com wrote:
[Arg, forgot to check the linked page before sending; turns out it doesn't
have enough examples. Added a note to the page.]
Actually, it's a lot worse than that, and it's trivial for
Ideally there would be some way for the caller to opt out of providing any
sort of identity built into javascript, isn't this a flaw in wrappers that
such information could possibly get through? If the engine knows who is
calling the function shouldn't any wrapper be blacklisted and the caller an
