On Fri, Aug 9, 2013 at 2:59 PM, Jim Blandy <jbla...@mozilla.com> wrote: > > The taint analysis applies to strings only, and has four parts: > > * It identifies certain *sources* of strings as "tainted": > document.URL, input fields, and so on. > * The JavaScript engine propagates taint information on strings. > Taking a substring of a tainted string, or concatenating a tainted > string, yields a tainted string. Regexp operations, charAt, and so > on all propagate taint information. And so on. > * It identifies certain *sinks* as vulnerable: eval, 'src' attributes > on script elements, and so on. > * Finally, the tool's user interface logs the appearance of tainted > strings at vulnerable sinks. The taint metadata actually records the > provenance of each region of a tainted string, so the tool can > explain exactly why the final string is tainted, which is really > helpful in constructing XSS attacks.
Are there any operations that are considered to untaint tainted strings? I seem to remember that in Perl's taint mode a regexp search-and-replace operation untaints, but I could be wrong. Nick _______________________________________________ dev-tech-js-engine-internals mailing list dev-tech-js-engine-internals@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
