On Sun, Feb 28, 2010 at 12:48 AM, Sam <[email protected]> wrote: > You could test for > strange contents and reject it, make sure it's a string by using > var myval = new String(unsafeWindow.tehvariable) or you could try using > typeof(unsafeWindow.tehvariable)=='string' possibly to avoid issues,
Actually this is exactly what you should avoid. The mere fact of mentioning "unsafeWindow.something" is (potentially) unsafe, even if "something" is a variable, since the page can define "something" to be a getter method that can escalate the call stack back until reaching the Greasemonkey sandbox scope and do things there with the privileges of this sandbox, if any. The current release of Greasemonkey makes provisions for hindering access to the GM_* api, I don't know if there are other risks. -- You received this message because you are subscribed to the Google Groups "greasemonkey-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/greasemonkey-users?hl=en.
