Comment #9 on issue 1274 by [email protected]: Current "virtualize"
strategy isn't safe
http://code.google.com/p/google-caja/issues/detail?id=1274
but also third-party stuff like json_sans_eval.js.
There should be a limited enough number of these that we can manually
inspect them. For any such issues that arise, if we protect
Function.prototype.call and Function.prototype.apply (which I think we
should do anyway), and if these uncajoled libraries are initialized before
any untrusted cajoled code runs, then a better defensive pattern is:
// at initialization time
var call = Function.prototype.call;
var sort = Array.prototype.call;
// at runtime
call.call(sort, x, comparator);
The reason this is better is that it makes the code more defensive from
other post-initialize monkey patching that might happen in its frame in
non-caja environments as well.
(Alternatively, if for some reason we wish to rewrite into the less
defensive Array.prototype.sort(x, comparator) style, we load these
libraries into a non-caja frame. But I don't see any reason to.)
