Diego,
a function will always suffer about arguments "problem" if you are
evaluating something.
About risks, Javascript is evaluated in any case, starting from the fact it
is an interpreted embed language.
But, if we would like to have a sandbox, for security reasons, there's no
way to evaluate properly without a dedicated, in core, and safe, function.
The alternative is a new super window object, aka iframe, but deleting and /
or using parent properties, we are still under attack! :D
Moreover, the goal of that function is to evaluate as a global scope code,
wrote directly in the page, and there is nothing "more dangerous", but it is
exactly what we need, correct?
In any case, the setAttribute trick sounds like setTimeout("alert(stuff)",
0), we are still evaluating code, and the problem is not how we are doing
it, but if we are "skilled enough" to avoid problems with code injections.
Last thing, Rhino developers often disable eval in some production
environment, but function still does its work, so a fake global scope
evaluation could always be Function(data)(), but again with arguments
problems.
As sum, I do not see any difference between a string inside a tag attribute,
and a string inside Function constructor.
Regards,
Andrea
On Thu, Sep 18, 2008 at 2:00 PM, Diego Perini <[EMAIL PROTECTED]>wrote:
>
> Andrea,
> in my previous message there were errors in the code; too sleepy to
> type.
>
> Last line should have been "alert(typeof img.onabort)".
>
> This is what works on FF3 without appending to DOM, doesn't work on IE
> 6 (I re-tested it).
>
> var img = document.createElement("img");
> img.setAttribute("onabort", "alert(1)");
> alert(typeof img.onabort);
>
> A similar workaround may be used for IE 6 compatibility, again without
> adding to the DOM:
>
> var orphan = document.createElement('orphan');
> orphan.innerHTML = '<img onerror="alert(1)" />';
> alert(typeof orphan.firstChild.onerror);
>
> Probably not appending is less resource demanding.
>
> It was just curiosity about what others think about this since it
> poses some security concerns like we have seen for "eval" and friends.
>
> I have nothing wrong with current globalEval. Just poking around and
> see what could be done and what could/should not be done.
>
> Thank you for answering,
>
> --
> Diego Perini
>
>
> On 18 Set, 13:15, "Andrea Giammarchi" <[EMAIL PROTECTED]>
> wrote:
> > Last version:
> >
> > globalEval = (function(Image){
> > Image.style.position = "absolute";
> > Image.style.left
> > Image.style.top = "-10000px";
> > return function(eval){
> > var body = document.body || document.documentElement;
> > (Image = Image.cloneNode(true)).setAttribute("onerror", eval);
> > body.appendChild(Image);
> > Image.onerror.call(null);
> > body.removeChild(Image);
> > }
> >
> > })(new Image(1, 1));
> >
> > But for described reason, all this stuff become the same of this one,
> > correct?
> >
> > globalEval = function(){Function(arguments[0])()};
> >
> > :-)
> >
> > On Thu, Sep 18, 2008 at 11:57 AM, Andrea Giammarchi <
> >
> > [EMAIL PROTECTED]> wrote:
> > > Still me, Diego :-)
> >
> > > I was confused about the usage of cuntion inside the setAttribute.
> >
> > > As you know, it is a function by default, so this example works, but
> there
> > > are still problems I was talking about:
> >
> > > onload = function(){
> > > var img = document.createElement("img");
> > > img.setAttribute("onerror", "alert([this, arguments.length])");
> > > document.body.appendChild(img);
> > > img.onerror();
> > > document.body.removeChild(img);
> > > };
> >
> > > To solve it we could simply use a function like this one:
> >
> > > globalEval = (function(Image){
> > > Image.style.position = "absolute";
> > > Image.style.left
> > > Image.style.top = "-10000px";
> > > return function(eval){
> > > Image.setAttribute("onerror", eval);
> > > with(document.body || document.documentElement){
> > > appendChild(Image);
> > > Image.onerror.call(null);
> > > removeChild(Image)
> > > }
> > > }
> > > })(new Image(1, 1));
> >
> > > But the arguments problem is still there:
> >
> > > arguments = [1,2,3];
> > > globalEval("document.write([arguments.length, arguments.callee])");
> >
> > > 0,function onerror(event, source, lineno) {
> > > document.write([arguments.length, arguments.callee]); }
> >
> > > Kind Regards
> >
> > > On Thu, Sep 18, 2008 at 9:18 AM, Andrea Giammarchi <
> > > [EMAIL PROTECTED]> wrote:
> >
> > >> Hi Diego,
> >
> > >> in my test cases your example does not work.
> > >> At the same time, I am not sure you have to put the image in the DOM,
> > >> before the event could be called.
> >
> > >> If you need to do it, the evaluation will be async, so as globalEval
> > >> replacement, it is not that good.
> >
> > >> If not, you are still evaluating "whatever" inside a function and, as
> you
> > >> know, this simply means that if you have a global scope variable,
> called
> > >> arguments, you will never be able to use it as is, unless you specify
> the
> > >> global object as prefix (window or self, because this will be the
> image
> > >> itself)
> >
> > >> I wonder why you are still looking for a globalEval alternative. What
> I
> > >> mean is: which kind of problem has the current solution?
> >
> > >> I would like to know it and try to fix it, if it is possible, since "I
> > >> feel a bit responsible" for that code :-)
> >
> > >> Regards
> >
> > >> On Thu, Sep 18, 2008 at 1:23 AM, Diego Perini <[EMAIL PROTECTED]
> >wrote:
> >
> > >>> Hi devs,
> > >>> would like to leave a note on this, seem interesting and maybe can be
> > >>> used as an alternative to globalEval.
> >
> > >>> It turns out that we have another way to evaluate javascript strings
> > >>> easily, namely by using setAttribute() to assign a string value to
> > >>> some specific attribute like the DOM 0 (or in-line) event.
> >
> > >>> So, at first I tried using the standard body "onload" attribute, but
> I
> > >>> in IE that didn't work as in FF.
> >
> > >>> Then I did some test with an image and that worked both in FF and in
> > >>> IE (believe it works in other browsers too).
> >
> > >>> var img = document.createElement('img'); // or just new Image();
> > >>> img.setAttribute("onabort", "function () {}"); // onerror, onload
> also
> > >>> works
> > >>> alert(typeof img.onload); // yeld function instead of string...good.
> >
> > >>> I was thinking to this while thinking to Air, Caja and similars.
> >
> > >>> Evil...good...useful ?
> >
> > >>> Your thoughts appreciated.
> >
> > >>> --
> > >>> Diego Perini
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"jQuery Development" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/jquery-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
