Hi everyone, This is some diagnostic information about Kevin Reid's CL and r5443:
https://codereview.appspot.com/10087044/ When the dust settled, the question remained: Why was r5439 translating the weird embedded Unicode space in some source text into an escape sequence, and r5440 not doing so, thus passing it through verbatim? (Recall: The result of this was that the source in question worked with r5439, but with r5440, it failed because it did not pass the LIMIT_SRC RegExp defined in atLeastFreeVarNames.js.) Well, I think I understand what's going on. Under r5439, the mitigation options used are: (void 0) meaning all defaults are used. Under r5440, the mitigation options are: { "maskReferenceError":true, "parseProgram":true, "rewriteTopLevelVars":true, "rewriteTopLevelFuncs":true, "rewriteFunctionCalls":true, "rewriteTypeOf":false } When used with some jQuery source that did not do anything crazy *except* invoke "typeof" on top-level lexical variables, then, r5439 rewrote the code, and r5440 didn't. So under r5439, weird characters were escaped, and under r5440, they weren't. So the code ran under r5439, but not under r5440. Whew. Ok so I think the answer is to check the code for weird Unicode characters (especially in string literals, where fixing that sort of thing can actually help), and if that is found to be the case, we should force rewriting. After that, we scrub through LIMIT_SRC, so either way, we know we are safe. Ihab -- Ihab A.B. Awad, Palo Alto, CA -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
