Igor Bukanov wrote:
> It seems the current IE7/IE8 behavior is to allow Cf only in srtring
> and regexp literals and to allow BOM only in string/regexps or at the
> beginning of the source,
Precisely what does "in string and regexp literals" mean? The exact
interpretation of this phrase is the core source of the aforementioned security
holes.
Folks have exploited putting special characters right after a backslash to
break out of whitelisted literals and execute arbitrary code from JSON; a few
months ago I demonstrated such an attack. Regular expressions offer even more
opportunities for this kind of mischief.
Waldemar
_______________________________________________
Es4-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es4-discuss
