On Mon, May 26, 2014 at 2:04 PM, Joe Bowser <[email protected]> wrote:
> On Mon, May 26, 2014 at 9:59 AM, Andrew Grieve <[email protected]> > wrote: > > From: https://issues.apache.org/jira/browse/CB-6746 > > > > Given that you can implement sendJavascript via PluginResults by just > > eval()ing the results, maybe we could just deprecate the function? > > And this comment just earned this proposal a -1. > > Just eval()ing the results is a completely awful idea because it > assumes that we can trust the data being returned from the plugin, > which security researchers have shown many, many times that you can't. > That reason alone makes me want to keep this, although it's also bad > in it's current form. > Did you mean Michal's suggestion a -1? Or mine? To be clear - the sendJavascript function is currently implemented exactly like this. We pass data safely through the bridge as a string, and then eval() it. This security concern is what I meant by my point #2. If we deprecate the call with a comment saying why, then we raise awareness about why it's a bad idea.
