This is why i was gong to recommend the innerHTML and substring approach to solving the problem. It would still be difficult for someone to change the variable to anything terribly malicious unless you were going to eval the contents or for some reason call it like it were a function but I suppose it really all depends on what you do with the value. You could test for strange contents and reject it, make sure it's a string by using var myval = new String(unsafeWindow.tehvariable) or you could try using typeof(unsafeWindow.tehvariable)=='string' possibly to avoid issues, it largely depends on what you're doing with it, if your throwing it at a database there are obvious risks there. Copy it to your own variable before you use it in case they change it later.
On Sat, Feb 27, 2010 at 5:44 PM, cc <[email protected]> wrote: > Cautionary note: read the entirety of > http://wiki.greasespot.net/UnsafeWindow, especially if you're going to be > running the script on a page you don't control. Bad things can happen when > you use unsafeWindow. > > > On 2010-02-27 11:07, Seven wrote: > >> Thanks, Rod! >> >> (I did try to look it up, if that's what that "umm" means.) >> > -- > cc | pseudonymous |<http://carlclark.mp/> > > > -- > || Confidence is the feeling you have before you really understand the > problem. || http://tagzilla.mozdev.org v0.066 > > > -- > You received this message because you are subscribed to the Google Groups > "greasemonkey-users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<greasemonkey-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/greasemonkey-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "greasemonkey-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/greasemonkey-users?hl=en.
