## Background Browsers have recently added new language features which allow executing code from a string:
* the "import" expression, and * async functions and async generators (rather, the corresponding constructors of such functions). SES, being unaware of these features, could not prevent them from being used to execute arbitrary code. ## Impact and Advice This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja [v6012](https://github.com/google/caja/releases/tag/v6012) or later. In order to prevent future vulnerabilities of this form, we have switched to having SES and Caja always parse and rewrite the input JS, to guarantee that the input is within the correctly-understood subset of the language. This unfortunately means that source position information in exceptions will not be useful. We are looking into solutions for this problem. -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
