[Arg, forgot to check the linked page before sending; turns out it
doesn't have enough examples. Added a note to the page.]
Actually, it's a lot worse than that, and it's trivial for someone to
make a "variable" that was quite malicious indeed: see
http://groups.google.com/group/greasemonkey-dev/tree/browse_frm/thread/933ecdb307c4386d/864b5121ad4698cb
for details.
On 2010-02-27 15:48, Sam wrote:
This is why i was gong to recommend the innerHTML and substring
approach to solving the problem. It would still be difficult for
someone to change the variable to anything terribly malicious unless
you were going to eval the contents or for some reason call it like it
were a function but I suppose it really all depends on what you do
with the value. You could test for strange contents and reject it,
make sure it's a string by using
var myval = new String(unsafeWindow.tehvariable) or you could try
using typeof(unsafeWindow.tehvariable)=='string' possibly to avoid
issues, it largely depends on what you're doing with it, if your
throwing it at a database there are obvious risks there. Copy it to
your own variable before you use it in case they change it later.
On Sat, Feb 27, 2010 at 5:44 PM, cc <[email protected]
<mailto:[email protected]>> wrote:
Cautionary note: read the entirety of
http://wiki.greasespot.net/UnsafeWindow, especially if you're
going to be running the script on a page you don't control. Bad
things can happen when you use unsafeWindow.
On 2010-02-27 11:07, Seven wrote:
Thanks, Rod!
(I did try to look it up, if that's what that "umm" means.)
--
cc | pseudonymous |<http://carlclark.mp/>
--
You received this message because you are subscribed to the Google Groups
"greasemonkey-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/greasemonkey-users?hl=en.
