## Background
There are two issues covered by this advisory:
* SES did not correctly understand variable names written using escaped
characters, e.g. `\u0077indow`, and did not recognize at all the new
`\u{...}` syntax introduced by ECMAScript 2015. This allowed access to host
global variables (such as `window` and `document`) by spelling them with
escaped characters.
* For applications which used the Google API tamings (not enabled by
default), the taming of the Charts / Visualization API did not protect
against all means of causing chart data to be interpreted as arbitrary HTML.
## Impact and Advice
This is a complete breach of the Caja sandbox. All users should immediately
upgrade to Caja
v6008 https://github.com/google/caja/releases/tag/v6008 or later.
## More Information
Discussion of the fix for SES may be found at:
* https://codereview.appspot.com/285330043/
* https://codereview.appspot.com/283510043/
Note that we have included an additional “backstop” protection to reduce
the exploitability of any future errors in variable name processing.
Discussion of the fix for Charts taming may be found at:
* https://codereview.appspot.com/286220043/
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
