That's a good point. I missed that. Yes, if the mandatory parse rejects template strings, I don't think this particular injection attack is an issue. However, my confidence in the absence of any injection attacks here is now shaken. The new SES code with the RegExp over the params list is still belt-and-suspenders you may be interested in.
On Tue, Jan 15, 2019 at 4:20 PM 'Kevin Reid' via caja-discuss-undisclosed < [email protected]> wrote: > [bcc all lists except main Caja to reduce complexity since this is > strictly Caja] > > On Tue, Jan 15, 2019 at 4:14 PM Mark Miller <[email protected]> wrote: > >> https://github.com/tc39/proposal-realms/issues/193 ... The first should >> affect Caja/original-SES as well. >> > > If I understand correctly, this should not affect Caja's SES because the > patched implementation of Function constructs a single source string from > the given strings and sends it into the now-mandatory parser-rewriter, > which does not allow template strings of any kind. > > -- > -- > --- > You received this message because you are subscribed to the Google Groups > "caja-discuss-undisclosed" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Cheers, --MarkM -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
