Implicit function calls within string formatting operations seem like the sort
of concept that is likely to lead to security problems on websites and the like.
This isn't a matter of "can the engine do this safely" it's a question of
whether the author expects arbitrary code execution to occur when they do
String.format("Someone we don't trust left this amazing comment: %s",
somethingUntrusted)
For instance ES5 killed off implicit function calls in object and array
literals (through accessors on the prototype chain) due to the potential for
unsafe operations (namely data leakage) to occur in code that looked "safe".
--Oliver
On Mar 9, 2011, at 10:48 AM, P T Withington wrote:
> On 2011-03-09, at 13:20, Shanjian Li wrote:
>
>>> It doesn't specify how to print objects, except for %s, which says that if
>>> the argument is not
>>> a string, convert it to string using .toString().
>>>
>>
>> If the format specifier does not apply to the argument given, it should
>> raise exceptions. Except string conversion, no other conversion will be
>> done.
>
> Disagree. Since ECMAScript knows the type of the arguments, it does _not_
> need the format specifier to tell it the type (as C does). Apparent
> mismatches should be left open as extensions. For example, the `x` formatter
> should simply specify that numeric values should be expressed in base 16, not
> that the value _must_ be a number. That way, you could pass an Array of
> numbers to `x` and see the numbers in base 16.
>
> _______________________________________________
> es-discuss mailing list
> es-discuss@mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
